JC2 Ventures

View Original

Will We See Cyber Risk Quantification Everywhere This Year?

VOLUME 1 - ISSUE 11 ~ January 25, 2024

Will 2024 be the year of cyber risk quantification (CRQ)? In this edition of the “CIO Two Cents” newsletter, I talk about why I think CRQ will see widespread adoption this year. Read on for insights from me—Yvette Kanouff, Partner at JC2 Ventures—into what is on the mind of CIOs at this moment in time.

The JC2 Ventures team (John J. Chambers, Shannon Pina, John T. Chambers, me, and Pankaj Patel)

Well, it’s 2024. Organizations remain at continued risk of increasingly sophisticated cyberattacks. New SEC cyber rules, requiring companies to disclose breaches are now in effect. The cybersecurity stakes for executives could not be higher. Consider stats from Harvard Business Review which notes that 65% of board members think their organization is at risk of a material cyberattack. Interestingly, CISOs place this risk at 48%. So, I am curious—is 2024 the year when Cyber Risk Quantification (CRQ) will be largely adopted?

To be fair, I believe that boards have taken a huge step forward in implementing regular cyber reviews and tabletop exercises. That said, having a common methodology for assessing cyber risk is still to be agreed upon. The National Institutes of Standards and Technology’s NIST-800-30 attempts to measure cyber risk in addition to providing a framework. With 15,000 members from 500 organizations, the FAIR Institute is defining a standard CRQ model. Gartner predicts that 70% of security and risk management leaders are planning to deploy CRQ within the next 2 years. This leads me to believe that CRQ will indeed be widely adopted this year. 

Throughout the past few years, there has been a lot of focus on cyber risk reports to the board, many of them still manually created. Boards have been focused on understanding risk frameworks such as NIST, ISO, OCTAVE, and ISACA. But new challenges such as deepfakes, AI generated attacks, quantum computing, and the threat of data extorsion are worrisome and require a consistent and deeper understanding of cyber risks. With few cyber experts on boards today, and a recent Diligent Institute and Corporate Board Member survey showing that cybersecurity remains the most challenging area of oversight, CRQ provides a consistent view and assessment of risk. In some cases, cyber insurance companies will assess companies based on their CRQ.

I think that CRQ doesn’t remove the expectations of board members when it comes to cyber oversight. Defining a company’s risk appetite, risk strategy, tabletop exercises for risk mitigation tactics, cyber compliance oversight, and regular reviews of a company’s cyber programs, frameworks, and performance are critical for all boards. That said, information overload makes it difficult to see if a company is doing ‘well’, ‘fair’, or ‘poorly’ with respect to best practices and industry comparisons.  Sometimes more information is not the answer, but the critical information needs to be clear. I think CRQ will help.


Image of the Moment

Picture courtesy of Saket Modi

Larry Clinton (President of the Internet Security Alliance, ISA), Elias Oxendine IV (CISO of Yum Brands), Kevin McCarty (CISO of Cigna US Healthcare), Kris Lovejoy (Global Security and Resilience Practice Leader of Kyndryl), and David Burg (Americas Cybersecurity Leader, EY) discuss CRQ and board cyber risk management at November’s FAIRCON23 in Washington DC.

Your Thoughts on Cyber Risk Quantification

See this form in the original post