Quantifying the Cyber Threat: How CRQ Empowers Informed Risk Management

Deepa Seshadri, Partner, and CIO Program Leader, Deloitte India, discusses how Cyber Risk Quantification (CRQ) helps businesses transform cyber risks into actionable insights, enabling data-driven decision-making and optimal resource allocation.

Introduction:

In today's digital age, cybercrime has transitioned from a "maybe" to a "when." A startling 86% of businesses experienced data breaches in just the past year (IBM Security, 2023), each costing an average of $3.86 million. This underscores the urgency of proactive risk management strategies. In an insightful conversation with Minu Sirsalewala, Executive Editor – Special Projects, Dataquest; Deepa Seshadri, Partner and CIO Program Leader, Deloitte India, talks about the power of Cyber Risk Quantification (CRQ). CRQ goes beyond simply identifying threats, allowing businesses to quantify the potential financial impact of cyber breaches. This empowers data-driven decision-making, enabling organizations to prioritize investments and optimize resource allocation in the face of evolving threats. Read on to know more about CRQ and its potential to empower your business through advanced methodologies like FAIR and Monte Carlo simulations in this insightful interview.

How does Deloitte India leverage the synergy between quantitative models like CRQ and qualitative methods to address the evolving 2023 cyber threat landscape?

In CRQ, the synergy can best be described as a Semi-Qualitative-Quantitative approach. It truly depends on how the Organization would like to view the risks from simple High, Medium and Low to complex Heat Maps showing varied levels of risks across assets. However, for any risk outcome, there will definitely be a quantitative approach. Also, a Heat Map can be developed from both a Qualitative and a Quantitative approach. 

Considering the dynamic cyber threat landscape, we observe that cybersecurity has become a boardroom topic and is now on its agenda. In order for leadership and board members to comprehend the actual business impact, it is imperative to translate cyber risks into business terms.

As organizations increasingly embrace digitalization, mobility, data-driven practices (through analytics), and customer-centric approaches, the speed of business decisions and the objectivity of making informed decisions become crucial enablers for business success.

Given that most organizations prioritize achieving a leaner and more efficient use of resources and budgets, the Cyber Risk Quantification (CRQ) process aids in planning and optimally investing and deploying the necessary resources.

In the exploration of advanced methodologies like Factor Analysis of Information Risk (FAIR) and Monte Carlo simulations, what specific benefits or insights have these methods provided in understanding and mitigating cyber risks?

Typically, the FAIR and the Monte Carlo Simulation require at first; (a) To identify the Cyber Risk Scenarios,(b) Identify the frequency or probability factor, (c) Evaluation of impact and the magnitude (d) Drive and articulate the actual risk value. This standardized approach provides benefits and insights in terms of;

·         Being driven by a data-centric model and objective analysis which enables informed decision-making.

·         These models help articulate business impact that is easy for C-Level executives to understand and decide next steps.

·         Companies opting for Cyber Insurance benefit from these models.

·         CRQ models help and enable ROI on Security investments and efforts taking a risk-based approach so there is no overprotection or under-protection of an asset.

How do you integrate qualitative factors, such as organizational culture and human behavior, into your quantitative risk assessments?

Most organizations look towards establishing a Risk Intelligent culture – This happens when the understanding and attitudes of an organization’s employees towards risk consistently guide them in making appropriate risk-based decisions. Measuring risk begins with identifying the risk culture influencers. i.e.

Risk Competence – The collective risk management competence of the organization, typically covered through skills, knowledge, recruitment and induction, etc.

Motivation – The reasons why people manage risk the way they do, typically covered through performance management, incentives, accountability, etc.

Relationships – How people in the organization interact with others, typically covered through leadership, communication, challenge, etc.

Organization – How the organizational environment is structured and what is valued, typically covered through risk governance, policies-procedures, strategy and objectives, etc.

Quantification and reporting – Keeping the above in perspective, the leading and lagging cultural indicators can be defined, tracked, monitored and reported.

A few examples of quantified cultural indicators could include the percentage of people who have completed mandatory training requirements, trends in risk-weighted performance metrics for divisional/regional managers, and the number of limit breaches, among others.

What types of data sources do you rely on for assessing cyber risk, and how do you ensure the accuracy and reliability of this data?

Typical data sources include Risk Registers that have Risk Assessments Control in place, residual risks, compliance and control effectiveness-related data that may be captured manually or in the GRC tools, etc. Additional data could be used from Splunk, IDS/IPS, and threat intel tools, and it is good to also include Internal audit and external audit reports.

The accuracy and reliability of the data will depend on how the organization's Configuration Management Database (CMDB) and/or Asset Management tool are configured, as well as the extent to which other systems/applications are integrated and any data transition or transposition logic involved.

Can you elaborate on how the PoV, 'Cyber Risk Quantification - A Pragmatic Approach,' addresses the challenge of expressing cyber risks in business-relevant terms, especially in terms of financial metrics, market impact, and customer retention?

End objective of CRQ exercise is to integrate the Risk exposure / Current state risk and the impact they have on the business. Categories of business impact are mainly financial impact, regulatory impact, customer impact, operational impact and societal/environmental impact. Different Organizations across their life cycle have one or more of these impacts on their priorities. E.g. A Trading Company prioritizes financial impact a little more than societal/environmental impact, while an EV Organization has to prioritize environmental impact. Furthermore, banking and health organizations are subject to stringent regulatory impacts that are equally important.

It is very important to identify the key metrics across these impact categories.

Given your specialization in both cyber strategy and emerging technologies, how do you see advancements such as artificial intelligence and blockchain impacting cyber risk quantification strategies within manufacturing and technology sectors?

Risk principles should be underpinned by the use of AI, Blockchain and Emerging technologies. Risk Fundamentals typically include – Setting Risk Appetite/baselines / Thresholds, Risk Quantification, Risk Governance, Risk Reporting, Risk Culture, etc.

Emerging technologies are more of business enablers, but are not the core business objectives. It is important to understand that there are two types of use cases for emerging technologies, basis which the approach and configuration towards risk appetite levels could vary.

1st type of use case – By business to bring business efficiencies through digitalization and operational excellence.

2nd type of use case – By Cyber Security teams to enable preventive, detective, and corrective controls in complex and data-intensive organizations.

Cyber risk quantification is the fundamental principle that would not be altered by thesetechnologies, however, these technologies could improve the efficacy towards the quantification exercise.

How do you prioritize cyber risk mitigation efforts based on the results of your quantification assessments?

The outcome of any quantification assessment will guide and prioritize the approach towards risk mitigation. For instance, risks quantified as High/Very high will be the top priority as they can significantly impact business objectives compared to medium-rated risks. Therefore, addressing Very High/High risks should take precedence and efforts should be made to bring them within acceptable limits. This can be achieved by fostering a cultural shift towards more risk-aware decisions and support, implementing proper risk governance and oversight, establishing a tone at the top, and ensuring that policies, processes, and procedures are aligned to meet the requirements of risk mitigation.