Security leaders need to tackle risks by speaking the language of business.
Organizations have spent millions of dollars and deployed dozens of security tools, but they are still getting breached, according to Guarav Banga. “So, what’s happening? How can we have a risk score of 100 on a scale of 0-100 then suffer a $50 million ransomware event? That doesn’t compute -- it must mean the scales are incompatible,” Banga said.
There are two specific issues when diving deeper into the disconnect between cybersecurity investments and cybersecurity efficacy:
Jeremiah Gibber, Chief Marketing Officer at Risk Lens, suggests that “many CISOs can’t effectively prioritize among competing investment options or communicate the business value of their security programs to stakeholders because they lack the analytic tools to understand cyber and technology risk in non-technical, financial terms.”
Ward explains that “historically, if we’re looking at threat actors and tracking their tactics, techniques, and procedures (TTPs), ranking vulnerabilities by severity, or assessing controls around assets, all we’re doing is assessing one aspect of the risk equation.” Ward further states that “CRQ is about the entire picture – what we’re not doing is exposing and understanding what can happen in the outcome; the impact of an adversary acting against an asset, bypassing controls, and causing some harm.”
Organizations that effectively implement CRQ achieve:
• A proactive and integrated approach to tackling cybersecurity risk • Improved security posture • Reduced chance of ransomware and data breaches • Greater ROI for security initiatives • Continuous security improvement • Improved alignment between security and business leaders • Greater adherence to third-party frameworks
