Not Mature Enough for Cyber Risk Quantification? Read This

The SAFE One Platform actually makes quantitative easier than qualitative cyber risk analysis – and far more reliable.

By Chad Weinman

At Safe Security, we have 10 years of experience standing up cyber risk quantitative management programs, and we could talk all day about the advantages of implementing FAIR, the standard for CRQM, how it’s the best way to align cybersecurity with business objectives and so on.

Chad Weinman is VP, Risk Strategy and Success, at Safe Security

But we can hit an awkward moment when the other party admits “I don’t think we’re mature enough to quantify or run a risk management program like this. It’s complex, difficult and too much math. We don’t have trained people. Anyway, we don’t have enough data.”

Dig a little further and we find that they’re running qualitative risk analysis, which is to say sorting their risks (often with colors or numbers) based on an around-the-table consensus.

A qualitative “heat map” rating risks with colors

How we answer the maturity question

Let’s step back and go to first principles. What are you trying to achieve with your risk management program in cyber? Better communicate risk to your business stakeholders? Prioritize your limited cybersecurity resources?

We would argue you will never effectively solve for those objectives with qualitative risk analysis. To take a serious shot at qualitative, you must:

• Chose a measurement, say a 5-point rating scale based on likelihood and impact
• Find some definitions for what those numbers mean –and those better be precise because how does everyone know what a “3” or “Medium” means
• Train everybody thoroughly to make sure they are all on the same understanding of “3”.
• Find some definitions for what those numbers mean –and those better be precise because how does everyone know what a “3” or “Medium” means?
• Go out and collect data from subject matter experts with their own interpretative estimation
• Manually put together your reporting.

It all sounds challenging. And in the end, you still have a reading on risk with many subjective variables.

How we answer objections to cyber risk quantification

Back to the objections on the quantitative approach to cyber risk: complexity, data, math, people, etc.

Yes…and at SAFE we have systematically resolved each of those.

After partnering with hundreds of enterprises, and iterating based on their feedback, we managed to automate 90% of the tasks involved in assessing and managing cyber risk.

Our SAFE One platform makes cyber risk analysis continuous, so you are monitoring and managing risk not just measuring it at a single point-in-time.

Cyber risk reporting on the SAFE One platform

Key features of SAFE One that automate quantitative cyber risk analysis

Attack Surface Data Collection: Through 150 api integrations we bring a client’s data straight from the source into the solution. The top three integrations that clients typically launch with:

• Endpoint Detection and Response (EDR) gives us a clear picture of the attack surface by telling us all the endpoints monitored.
• Vulnerability Management fills in details on more of the attack surface.
• Cloud Security Posture Management (CSPM) for configuration data, security control data, and another view on attack surface

Measuring controls effectiveness on the SAFE One platform

Controls Inventory and Assessment: Upload any controls assessment (NIST, ISO, CIS, etc.) and an AI agent maps your controls into our system. The FAIR Controls Analytics Model (FAIR-CAM) built into the platform monitors controls maturity and reliability for an always-updated status on controls.

Financial Impact Questionnaire: The SAFE One platform comes loaded with industry benchmark loss data based on the FAIR Materiality Assessment Model (FAIR-MAM) that quantifies the financial impact side of FAIR cyber risk analysis. The customer and a SAFE adviser also fill out the FIQ during onboarding to capture more organization-specific data. Particularly for public companies, that data is readily available.

Automated FAIR Analysis: No FAIR expertise? No problem! SAFE One simplifies risk analysis by generating and evaluating scenarios specific to your needs. Monitor top risk scenarios in real time, and explore “what-if” scenarios by adding or removing security controls or processes. The platform’s Threat Center continuously scans for emerging threats, delivering automated insights. With SAFE One, you’ll get clear, actionable reports that present cyber risks in business-friendly terms.

Bottom line on quantitative cyber risk management maturity

Whatever your current level of maturity, SAFE’s cutting-edge data, modeling, automation, and support capabilities will empower you to confidently embrace quantitative cyber risk management.

Contact us to learn more or schedule a demo.