JC2 Ventures

View Original

2023 will be the year of cyber-risk quantification

CRQ is the hottest thing in cybersecurity right now

This article first appeared in TechCrunch on Monday, November 7, 2022, by John Chambers

John Chambers is the founder and CEO of JC2 Ventures. Previously he served as executive chairman and CEO of Cisco

Geopolitical tensions, supply chain challenges, an economic slowdown, an ongoing pandemic and more have meant that companies and people have been impacted in ways that will change how business will be conducted for many years to come, and the ripple effects of these converging variables will be felt for a long time.

As headlines continue to be dominated by increasing interest rates, businesses must ensure their budget is being spent efficiently. But despite the economic downturn, the cybersecurity and AI industries have grown steadily over the past 18 months or so.

Cybersecurity is critical to businesses’ revenue, growth, reputation and overall function. But are we doing everything to manage the level of risk that exists in our hyperconnected world, or is there a missing link?

Cybersecurity is growing more crucial every year

Nasdaq report suggests that 14 market days after a breach becomes public, the average share price of a company bottoms out and underperforms by -3.5% on the stock exchange. An even more alarming data point is that businesses accrue more than 50% of post-breach damages as long-tail costs.

More specifically, 31% of expenses are accrued in the second year, and 24% are accrued more than two years after the breach in highly regulated industries. Still, 29% of CEOs and CISOs and 40% of Chief Security Officers admit their organizations are unprepared for the rapidly changing threat landscape.

To put it plainly, cybersecurity risk management is at a crossroads. The future needs automated proactive cyber-risk management. Business leaders must understand their threat landscape and how well they compare against the market and their peers. What’s more, beyond what the risk is, businesses need to learn how to mitigate and manage cyber risk.

Understanding cybersecurity risk through quantification

To achieve a reasonable risk posture, businesses currently deploy over 130 security tools to detect and contain crucial threats; invest in cyber insurance; and have board-level oversight (the Cybersecurity Disclosure Act of 2015 advises public companies to have at least one board member with technical cybersecurity knowledge). Yet, in 93% of cases, an external attacker can breach an organization’s network perimeter and gain access to local network resources in less than two days.

Cyber-Risk Quantification (CRQ) has slowly grown from a nice-to-have to become the foundation for addressing the most critical concerns about a business’ cybersecurity posture. When introducing CRQ as its own category, Gartner wrote, “By reexamining conventional ways of collecting data, Cyber-Risk Quantification enables leaders to drive timely risk remediation and determine the necessity for scenario-based analysis.” More reports by Forrester and Deloitte have all brought CRQ solutions firmly to the center stage. Another Forrester report last month even stated that CRQ was among the top inquiries made by leaders in security and risk management roles.

According to IBM’s “Cost of a Data Breach” report mentioned above, the most impactful ways to minimize dollar value losses include security AI and automation, incident response planning and risk-quantification techniques. But if we take it one step further — most encouraging for me, the industry and the risk community at large — we have advanced AI-based technologies that combine the power of automation with risk quantification.

Such advanced cyber-risk quantification and management (CRQM) platforms consolidate telemetry signals from a business’ attack surface and continuously update its cyber-risk posture through data science-based algorithms.

Investments that reap the rewards in the short and long term

I look at win-win scenarios for every investment I make. If you look at advanced CRQ solutions from an ROI standpoint, using risk quantification methods could reduce the cost of a potential data breach by 48%, per the IBM report. This is a substantial win for business leaders, risk owners, security teams and investors.

The CRQ market is without industry, geography and revenue boundaries. It is the right time for companies to invest in CRQM capabilities to build a robust cybersecurity strategy and for investors to enter this space and expand their portfolios.