happening while companies face a continued shortage of cybersecurity talent and are re-evaluating their
            spending in light of slowing global economic growth. Security and risk management leaders need to
            identify  the  specific  risks  their  companies  face  and  communicate  those  risks  in  a  way  that  other
            stakeholders can understand to justify technology and talent investments.




            Cyber-risk by the numbers

            Increasingly, security executives are using cyber-risk quantification (“CRQ”) to understand their holistic
            risk  profile.  CRQ  can  aid  in  planning  security  improvements  to  prevent  data  breaches,  compliance
            penalties,  fraud,  and  lost  customer  trust.  It  can  also  provide  the  metrics  that  leaders  may  need  to
            demonstrate to board members and the C-suite the risks of underinvestment in security.

            CRQ  is  an  activity  described  by  Gartner  as  “any  risk  assessment  that  measures  risk  exposure  and
            expresses it in financial or business-relevant units.” CRQ can be as simple as a scale that ranks the
            likelihood  and  potential  cost  impact  of  specific  risks.  It  can  also  be  quite  complex,  with  AI-enabled
            statistical modeling and ongoing risk analysis. Forrester describes the variety of CRQ approaches as
            “anything from a threat heat map to a 5×5 grid to a list of the latest threats with a flowchart of how the
            firm is addressing them.” By 2024, 68% of security decision-makers plan to implement CRQ that uses AI
            and ML.

            Regardless of the specific method used, CRQ can help bridge one of the most widespread issues that
            security leaders face: a lack of C-suite understanding of an organization’s cyber risks and their potential
            financial  consequences.  In  2021,  just  half  of  IT  leaders  thought  their  organizations’  executives
            “completely  understand  cyber  risks.”  By  quantifying  risk  in  a  way  that  allows  for  the  creation  of
            benchmarks and KPIs, CRQ can help IT leaders show the value of security investments and present
            those investments as ways to protect and even drive growth. As Deloitte’s 2023 Global Future of Cyber
            Survey  says,  cybersecurity  is  “becoming  an  essential  part  of  the  framework  for  delivering  business
            outcomes.”



            Understanding existing cyber risk frameworks

             Leaders who want to implement CRQ have a variety of frameworks they can choose. Factor Analysis of
            Information Risk (FAIR) is the best-known option, and it expresses risk “in financial terms” to give all
            stakeholders a common way to understand and talk about risk.

            This approach differs from existing qualitative risk management frameworks. The NIST Cybersecurity
            Framework  (CSF)  is  a  federally  sponsored  rubric  for  evaluating  risk  across  organizations.  Federal
            agencies are required to assess their cyber risk with this tool, but organizations in other industries have
            adopted it voluntarily, particularly within critical infrastructure and manufacturing. Other frameworks like
            those published by ISACA and MITRE can also help with comprehensive risk identification but don’t
            express it in dollars.








                                                                                                             192