RiskLens CEO Nick Sanna: Cyber Risk Quantification in 2023 – Opportunities and Challenges

January 9, 2023  Nicola (Nick) Sanna

News - Cyber Risk QuantificationCybersecurity budgets under pressure…regulators tightening risk disclosure rules...breakdown in the cyber insurance market. As 2022 ended, a series of trends lined up that will set the agenda in 2023 for cyber risk and security leaders. At RiskLens, we hear from CISOs all the time with a consistent message: They need the risk measurement, management and communication tools that will position their organizations in front of the challenges ahead.

Those tools must be based on proven cyber risk quantification (CRQ) methodologies such as the Factor Analysis of Information Risk (FAIR™) to enable communicating risk in the financial terms that business leaders and regulators demand to know. With the right set of CRQ solutions, CISOs can:

  • Discuss cybersecurity initiatives in terms of strategic business objectives

  • Advocate for cybersecurity budget based on return on investment (ROI) for risk reduction

  • Compare risk levels to industry benchmarks

  • Present quantitative proof points to regulators that material risks are understood and being managed

Let’s look at the landscape for CRQ in 2023, both the opportunities and the challenges, and how RiskLens can help you:


Macroeconomic Environment 

FAIRCON22 - Nick SannaAs companies face recessionary forces and pivot from growth to profitability, cybersecurity organizations are being forced to be more cost-effective. Many CISOs are being asked to trim or delay initiatives and face stronger scrutiny of existing programs. The justification required for all levels of spend is increasing, pressuring CISOs to up their game in building stronger business cases with the CIO, the CFO, and the business executives, which clearly speak to the business impact of cybersecurity initiatives.

RiskLens cost-benefit analysis helps CISOs make the case for security spending based on value for risk reduction in dollar terms (ROI).   

New Regulatory Requirements in the US and Abroad 

SEC-logo-150x150Proposed rule and enforcement changes on cyber risk disclosures and board governance obligations by the Securities and Exchange Commission (SEC), the New York Department of Financial Services (NYDFS) in the US, the Australian Prudential Regulation Authority (APRA) as well as several European regulatory bodies, are expected to go into effect in 2023, and will require organizations to run formal cyber risk assessment programs, describe to the regulators how their programs work to identify material cyber incidents and measure the adequacy of security controls to drive risk down to an acceptable level.

RiskLens Professional Services team and our Consulting Partners help organizations build enterprise-level CRQ programs that efficiently assess cyber risk, flag material scenarios, and demonstrate due care to satisfy the stricter standards of regulators.

Cyber Insurance Premiums on the Rise 

The explosion of cyber attacks during the pandemic broke the cyber insurance equation as claims exceeded premiums paid. This led to a major readjustment and increases in pricing that are forcing chief risk officers and CISOs to re-evaluate their coverage and to more diligently assess their coverage needs, including possibly self-insuring.

Find out how RiskLens can help you quantify your top cyber risks and compare your insurance needs with the products offered by cyber insurers.

Availability of New Outsource Solutions and Benchmark Data for CRQ 

diag-desktop-benchmark-errorMany organizations do not have the competence, level of staffing or data to build cyber risk quantification programs in-house and need to rely on specialized third parties to benefit from CRQ.

The emergence of managed service offerings, including from RiskLens and its partners, enables companies to get the benefits of CRQ without the expense or effort to build an internal cyber risk team from scratch.

The availability of industry benchmark data – such as My Cyber Risk Benchmark from RiskLens - helps organizations that are building a CRQ program to quickly assess their cyber loss exposure, based on the experience of their industry peers. 

New Controls Analytics Model Will Combine Automation, Defensibility, and Trust 

Traditionally, CRQ programs have relied on analysts’ interpretation of controls status for input into their CRQ calculations, based on telemetry from cybersecurity tools or on results of audit and testing. CISOs have been asking for ways to automatically analyze telemetry and factor it in cyber risk quantification to reduce reliance on risk analysts’ estimates whenever possible.

Coming in 2023: New RiskLens controls analytics solutions based on the FAIR Controls Analytics Model (FAIR-CAM™) will power automation without sacrificing defensibility or trust in analysis results. Contact us if you’re interested in being part of our beta program.


Compliance activities sucking the air from everything else

News - Cyber Risk Quantification  2Many CISOs share that the majority of their cybersecurity efforts are still focused on compliance, versus proactively managing risk, as regulators and internal IT audit continue to command their attention and resources to resolve those never-ending lists of findings, especially in regulated industries. Without a method to prioritize and triage those findings, many feel that they are never able to get their heads above water.

Contact us to learn how a risk-based approach to compliance management can help you to prioritize and focus on the issues that matter most to the business, and justify why other ones can confidently be de-prioritized or closed.

Seeing cyber risk quantification and management as a tool issue

The purchase of a CRQ tool alone will not ensure success, as it fails to recognize that the biggest challenge for the adoption of cyber risk quantification for many organizations is cultural. Moving to a more analytical, data-driven, and business-aligned way of measuring, managing, and communicating cyber risk is a big change in behavior for them and needs to be treated as a true program, with an organizational commitment that starts from the top.

Discover how RiskLens can support your organization in building a transformative and highly effective cyber risk management program. RiskLens has unique expertise as the original author of FAIR, and experience helping more companies build quantitative cyber risk management programs than anyone else.

Bad CRQ models

The emergence in the marketplace of “black box” CRQ tools that promise an “easy button” solution to quantitative analysis, in fact yielding unreliable, indefensible results from flawed risk models can be a distraction for organizations that are looking for trusted analytics that they can use for key reporting and decision-making.

Tip: Read Jack Jones' Buyer’s Guide to Cyber Risk Quantification, especially his buyer-beware questions to ask vendors.

Nick Sanna is CEO of RiskLens and President of the FAIR Institute.