November 21, 2022

2023 is the Year of Cyber Risk Quantification

CRQ is the hottest thing in cybersecurity right now.

By John Chambers, Founder and CEO of JC2 Ventures

When the dot com bubble burst in 2001, Cisco dropped from +70% growth to -45% growth within a matter of weeks. Today, in 2022, the world is witnessing an immense magnitude of uncertainties and variables coexisting simultaneously – geopolitical tensions, supply chain challenges, an economic slowdown, an ongoing pandemic, and more. Businesses and individuals have been impacted in ways that will have a ripple effect for many years to come.

As headlines are dominated by the Federal Reserve’s decisions to continue to increase interest rates to control inflation, which will ideally lead to the market settling after three to four quarters, businesses need to ensure their budget is being spent correctly. Something noteworthy that’s been observed is that despite the economic downturn, cybersecurity and AI are the two industries that have steadfastly grown over the past year and a half rather than contracted.

Cybersecurity is critical to business revenue, growth, reputation, and function. In my interactions with business and government leaders, there is a consensus that cybersecurity is one of the top items on the agenda of every board meeting. But are we still doing everything to manage the level of risk that exists in our hyper-connected world, or is there a missing link?

Cybersecurity: A Concern Growing More Crucial by the Year

A NASDAQ report suggests that 14 market days after a breach becomes public, the average share price bottoms out and underperforms the NASDAQ by -3.5%. An even more alarming fact is that businesses accrue more than 50% of post-breach damages as long-tail costs. More specifically, 31% of expenses are accrued in the second year, and 24% are accrued more than two years after the breach in highly regulated industries. Yet, 29% of CEOs and CISOs and 40% of chief security officers admit their organizations are unprepared for a rapidly changing threat landscape, reports ThoughtLab Group.

Cybersecurity Risk Management is at a crossroads. The future needs to be automated proactive cyber risk management. Business leaders first want to understand their threat landscape and how well they compare against the market and their peers. Beyond what the risk is, businesses need to learn how to mitigate and manage cyber risk.

The Missing Link: Understanding Cybersecurity Risk Through Quantification

To achieve a reasonable cyber risk posture, businesses currently deploy over 130 security tools to detect and contain the most crucial threats, invest in cyber insurance, and have board-level oversight, as the Cybersecurity Disclosure Act of 2015 advises public companies to have at least one Board member with technical cybersecurity knowledge. Yet, in 93% of cases, an external attacker can breach an organization's network perimeter and gain access to local network resources in less than two days.

Rightfully, business leaders and board members need:

  1. Better visualization of their company’s true cyber risk posture
  2. Data-driven reporting of security threats in real-time
  3. Proven ways to minimize the data breach costs
  4. Dollar-based cyber risk conversations with a solid business context
  5. Real-time regulatory and compliance adherence updates

What was once considered a nice-to-have cybersecurity solution has now reached the inflection point of becoming a must-have cybersecurity solution – because CRQ is the foundation for addressing the most critical concerns about a business’ cybersecurity posture. “By reexamining conventional ways of collecting data, Cyber Risk Quantification enables leaders to drive timely risk remediation and determine the necessity for scenario-based analysis” – Gartner, when introducing Cyber Risk Quantification (CRQ) as its own category.

Forrester in January 2022, Gartner in July 2022, Deloitte in June 2022, and the Ponemon Institute Cost of a Data Breach Report just last month have all brought CRQ solutions firmly to the center stage. In another Forrester report, CRQ was among the top inquiries from leaders in security and risk management roles.

According to the Cost of a Data Breach report, the most impactful methods to minimize dollar value losses include security AI and automation, Incident Response (IR) planning, and risk quantification techniques. But if we take it one step further – what is most encouraging for me, the industry, and the risk community at large – there are advanced AI-based technologies that combine the power of automation with risk quantification.

Such advanced cyber risk quantification and management (CRQM) platforms consolidate telemetry signals from a business’ attack surface and continuously update its cyber risk posture through data-science-based algorithms.

Investments That Reap the Rewards in the Short and Long Run

I look at win-win scenarios for every investment I make – in startups and people. If you look at advanced CRQ solutions from a return on investment standpoint: using risk quantification methods can reduce the cost of a potential data breach by 48% – which is a substantial win for business leaders, risk owners, security teams, and investors. That’s why, transparently, I am investing in companies like Safe Security – a cyber risk quantification and management company – that has grown significantly because of their deep understanding of market challenges and differentiated offerings. Safe Security has also recently been awarded the best Risk Management Product by the 2022 CISO Choice Awards.

The CRQ market is without industry, geography, and revenue boundaries. It is the right time for companies to invest in CRQM capabilities to build a robust cybersecurity strategy and for investors to enter this space and expand their portfolios.

The article originally appeared in TechCrunch on November 7, 2022.