VOLUME 1 - ISSUE 11 ~ January 25, 2024
Will 2024 be the year of cyber risk quantification (CRQ)? In this edition of the “CIO Two Cents” newsletter, I talk about why I think CRQ will see widespread adoption this year. Read on for insights from me—Yvette Kanouff, Partner at JC2 Ventures—into what is on the mind of CIOs at this moment in time.
Well, it’s 2024. Organizations remain at continued risk of increasingly sophisticated cyberattacks. New SEC cyber rules, requiring companies to disclose breaches are now in effect. The cybersecurity stakes for executives could not be higher. Consider stats from Harvard Business Review which notes that 65% of board members think their organization is at risk of a material cyberattack. Interestingly, CISOs place this risk at 48%. So, I am curious—is 2024 the year when Cyber Risk Quantification (CRQ) will be largely adopted?
To be fair, I believe that boards have taken a huge step forward in implementing regular cyber reviews and tabletop exercises. That said, having a common methodology for assessing cyber risk is still to be agreed upon. The National Institutes of Standards and Technology’s NIST-800-30 attempts to measure cyber risk in addition to providing a framework. With 15,000 members from 500 organizations, the FAIR Institute is defining a standard CRQ model. Gartner predicts that 70% of security and risk management leaders are planning to deploy CRQ within the next 2 years. This leads me to believe that CRQ will indeed be widely adopted this year.
Throughout the past few years, there has been a lot of focus on cyber risk reports to the board, many of them still manually created. Boards have been focused on understanding risk frameworks such as NIST, ISO, OCTAVE, and ISACA. But new challenges such as deepfakes, AI generated attacks, quantum computing, and the threat of data extorsion are worrisome and require a consistent and deeper understanding of cyber risks. With few cyber experts on boards today, and a recent Diligent Institute and Corporate Board Member survey showing that cybersecurity remains the most challenging area of oversight, CRQ provides a consistent view and assessment of risk. In some cases, cyber insurance companies will assess companies based on their CRQ.
I think that CRQ doesn’t remove the expectations of board members when it comes to cyber oversight. Defining a company’s risk appetite, risk strategy, tabletop exercises for risk mitigation tactics, cyber compliance oversight, and regular reviews of a company’s cyber programs, frameworks, and performance are critical for all boards. That said, information overload makes it difficult to see if a company is doing ‘well’, ‘fair’, or ‘poorly’ with respect to best practices and industry comparisons. Sometimes more information is not the answer, but the critical information needs to be clear. I think CRQ will help.