Background

You cannot improve what you cannot measure.

No one sees the value of a seat belt until they have a collision. Only after an accident does one become aware of the level of risk that comes from driving without a seat belt.

Security risk is invisible, but security budgets are eye-popping. Demonstrating the value of security requires leaders to quantify risks and make them visible to the business.

Cyber risk quantification provides a framework for highlighting security risks and aligning business objectives to security budgets.

The miscommunication between security leaders and the business over cybersecurity program improvements presents a critical roadblock. Security is expensive. Today’s cybersecurity leaders are pressed to identify the people, processes, and technologies that provide the best fit and enable a more secure and compliant organization.

Stephen Ward, Vice President of Marketing at ThreatConnect, said, “As security people, it is our job to protect the organization from harm – whether it’s an enterprise, a private sector, or government agency. If we can’t articulate and enumerate what harm looks like, then we can’t rank, order, and prioritize where to focus our efforts.”

If you think about any aspect of business – sales, marketing, engineering, supply chain management – most businesses operate to come up with a profit and move on to be a market leader in that segment. You must identify what your end goal is, your acceptable cost, the metrics you need to work on so you can get closer to your end-goal. This is not new to any businessperson. But cybersecurity does not operate that way. We have to quantify risk in a fairly rigorous fashion in the same way that we can quantify our pipeline, forecast revenue, and create value for shareholders and customers.”