At the recently held MetricStream GRC Summit, October 2021, Gavin Grounds - Executive Director, GRC, Verizon, and Prasad Sabbineni - CTO, MetricStream, sat down for a fireside chat to discuss the implementation of quantification in risk management and how it can help CISOs and cyber security teams.
Gavin Grounds is the Executive Director for Governance, Risk, and Compliance at Verizon and has worked on risk management and cyber security [at Verizon] for over three years. He has previously worked at HP, DXC Technology, and other large organizations managing cyber security and compliance. He is also a chapter President of ISACA. As a cyber security risk professional, he has pioneered several leading concepts in cyber risk and risk quantification.
Prasad Sabbineni is Chief Technology Officer at MetricStream. He has previously worked at Citigroup and other leading banking organizations and has over 25 years of experience in risk management, compliance, and information security.
Read the abbreviated transcript to learn more about the meaning of cyber risk quantification, the need for cyber risk quantification, the current state of cyber security metrics, and how quantification will benefit Risk Officers, CISOs and security teams.
Prasad Sabbineni: Gavin, if we can start as to why it is so critical to quantify cyber risk?
Gavin Grounds: I think presently, most cyber security teams still use varying approaches based on gradients and colours, such as low, medium, high and critical or red, amber, and green to measure. However, these indicators are vague owing to the vastly complex world of cyber risk and don’t effectively support the business. In almost all other areas of business, we use actual numbers to express the level of risk associated with a specific business aspect. In general, the cyber security community is still lagging in this regard.
Prasad Sabbineni: The use of such vague indicators makes it difficult to identify the actual severity of an event. The fact that it is difficult to assess how high is ‘high’ or how red is ‘red’ renders these tools futile.
Gavin Grounds: To better manage risk, companies must make quantification of risk a prerequisite in developing and executing cyber security strategies. It is essential to assign figures and statistics to threats and to calculate risk in terms of numbers. The use of indicators such as gradients, levels, or categories does not do justice to the process of cyber risk management.
Prasad Sabbineni: Why do risk managers need to quantify risks?
Gavin Grounds: While a cyber security framework is generally used to define the action plan of a security team, the role of risk management is to define why a particular plan exists in the first place – what does – or maybe even what does not – need to be done. Therefore, risk management justifies the need for a specific cyber defence strategy.
Prasad Sabbineni: Over the last 30 years, risk has evolved in several industries and in different ways. Market risk, compliance risk, and operational risk have all taken a new shape, resulting in a natural progression towards quantification.
Gavin Grounds: When people talk about cyber risk quantification, many automatically start trying to calculate annualized loss expectancy (ALE). However, even though this method would work for other sectors, it remains an incomplete approach for managing cyber risk. ALE only looks at one aspect, i.e., what a potential loss might be; risk management requires a more holistic approach. Simply put, risk management is more about optimizing risk than reducing risk. The essence of business lies in taking a risk; the key is to understand which risks to take and how much risk to take.
The most significant drawback of only looking at ALE is witnessed when an enterprise needs to enable broader business opportunities, where it becomes imperative to increase the risk profile. The ALE approach is native to the insurance industry, which deals with a finite number of perils, where a limited number of scenarios result in those perils materializing. These are actually the statistics used by actuaries to calculate the premium they need to collect for the coverage provided.
For cyber security, however, there exists an infinite, or at least an ever-increasing number of perils that can be a result of an infinite number of scenarios. Owing to such vast possibilities, most CISOs and risk managers in the cyber security domain often tend to focus their efforts on identifying and managing the top 10 or 15 (or any other convenient figure) scenarios. However, the more significant risk associated with this approach is that the top risk might just be the 11th or the 16th one, i.e., the one that was ignored or not given due attention.
Gavin Grounds: Risk must be treated as a different currency in itself. This can be done by assigning an empirical numeric value to an asset based on its business value, or its mission criticality (perhaps the crown jewel), along with the degree of exposure or susceptibility, or vulnerability. Quantification is when the risk is assigned such a numeric value. When there is a points-based system, risk currency can be mapped to the fiscal opportunity or fiscal loss probabilities, much like forex rates, to get a clear understanding of what we stand to lose and gain when a particular risk is taken or not taken.
Prasad Sabbineni: How can companies transform cyber risk management strategies through quantification?
Gavin Grounds: The universe of cyber security is so massive and complex and that is actually why quantification becomes so necessary. My advice is to Start with what you do have, Improve based on what you could have, and always Aspire to what you should have.
There is no single answer for everyone as to where one can begin quantifying. Except for that, the only place that you can start from is where you are. So, start there – start the quantification journey based on what you do know. The only way forward is to take action and make the best out of the current circumstances. Begin with the information already present with the organization, such as which business processes hold the highest value for an enterprise and which platforms and applications support these high-value processes. Next, these platforms and applications can be quantified in terms of the intrinsic value that they hold. We can also take all of the system and user activity log information and incorporate that into our calculation of an intrinsic numeric score (points) for risk quantification. An ideal way is to start small and protect the crown jewels, those systems that support the processes and assets with the highest business value and mission criticality, by quantifying associated risks before launching an all-out cyber risk quantification campaign.
In establishing this risk currency-based approach, using empirical numeric scoring, it allows us to then stack rank assets in terms of their value and potential exposure, so as to help then prioritize investment decisions, remediation activities, and the like. This approach to quantification also provides us with deeper insights into the overall operating risk of the environment, in near-real-time, that we don’t otherwise get from a model that is exclusively scenario-based focused on ALE.
You asked earlier about how risk quantification can help in major events, such as we have seen with the COVID-19 pandemic. I think the pandemic response has allowed many companies to assess their current exposure. For those companies, it has served to at least pressure-test existing risk management and control frameworks and has provided a good line of sight and opportunity to test methodologies for managing risk. For many, it has also potentially improved the depth and accuracy of information for managing the environment. Such opportunities must be leveraged to continuously pressure-test and improve existing systems and develop, or enhance metrics, for managing cyber risk.
Prasad Sabbineni: Does quantification change the way companies manage risk associated with third parties? Any final thoughts and advice for CISOs?
Gavin Grounds: When the risk is quantified, third-party risk management changes completely. We need to have the same rigor and the same degree of telemetry over our third-party product and service providers, as we do over our internal IT or delivery partners. The issue that many companies face with respects to third-parties is the techniques and the level of detail, or line-of-sight that can be established for a third-party are different than for an internal function or solution. Nonetheless, the need for quantification of risk doesn’t go away. In fact, it becomes even more important. We still can – and should – use an empirical numeric quantification methodology. Asking the right questions and seeking relevant information from third parties allows companies to identify those quantifiable indicators. This, in turn, enables a clearer assessment of third-party exposure while also bridging gaps in communication between different delivery entities.
CISOs have a lot on their plate, including cyber protection, changes in the threat landscape, regulatory compliance, meeting corporate or contractual obligations and oftentimes, everything is a priority. Having a solid, quantification-based risk management methodology can make all the difference in the world to a CISO. Risk management answers the “why?” of a cyber defence strategy, answering why specific steps are taken. Quantification helps CISOs answer the question “so what?” or “why does that matter?” When we have answered that question multiple times, we have essentially landed on a risk statement and quantification makes it easier for CISOs and security teams to prioritize what is needed to protect the business from perils, while simultaneously prioritizing based on their currency value.
Prasad Sabbineni: To summarize, even a simple line of questioning can come a long way in prioritizing risks and resources to manage the risks—making it all the more important for CISOs to start quantifying cyber risks.
Get the Full Transcript: Cyber Risk Quantification: Core Metrics for Success
Watch the Video