Ask any CISO to articulate the ROI of their firm’s cybersecurity investment — or, worse yet — to defend an increase to the security budget, and you’re likely to get anything from a threat heat map to a 5×5 grid to a list of the latest threats with a flowchart of how the firm is addressing them. It’s no wonder that cyber risk quantification (CRQ) has been among the top inquiry topics in the past year from Forrester clients in both security and risk roles. It’s also a common theme among software and services providers in briefings.
Undoubtedly, as cybersecurity is a board-level concern and senior executive conversation, the pressure builds for CISOs to shift from “explaining” to quantifying cybersecurity efforts. Last year, Alla Valente and I set out to explore this budding space, beginning Forrester’s formal coverage of the CRQ market.
After many months, numerous briefings, demos, and interviews with end users and providers, we published the report, Transform Cyber Risk Management With Cyber Risk Quantification. The report explains the value, challenges, and common use cases for CRQ. It also maps the technology and services providers that are making cyber risk quantification a reality.
What we found is predictable but hopeful: The CRQ market is nascent, the journey is fraught with challenges, and it requires significant commitment from firms. But as this market evolves and vendors partner with firms to help them operationalize the results, CRQ will fundamentally revolutionize the way that security leaders engage with boards and executives to discuss cybersecurity.
Key Cyber Risk Quantification Trends
As one of our interviewees accurately summarized, the momentum in the CRQ market exists to help CISOs “put the crayons down” (their words, not ours) and graduate from the legacy red, orange, green dashboards. In our research, we found that the following trends exist in the market today:
- Software and services providers vie for customers but offer different approaches. The CRQ market today is made up by a small number of product vendors, vendors in related categories (such as cyber risk ratings), and consulting firms with CRQ services offerings. Consulting firms have made much revenue from supporting clients in mature industries, such as financial services, in implementing CRQ programs. Consulting firms have demonstrated CRQ success, but ultimately, the high cost and lack of sustainability and repeatability hinder the affordability of this approach. On the other hand, software providers, described as “spreadsheets with a GUI,” lack the support and reference data required to successfully launch. This created a complex mix of product and services approaches for security leaders to choose from for CRQ efforts.
- Most are under the impression that FAIR is their only option. It’s not. Early efforts in CRQ centered around the FAIR (Factor Analysis of Information Risk) methodology. While the FAIR methodology still prevails and many firms align to using the FAIR methodology, we also identified several software and consulting players taking entirely different approaches based on alternative methods and data sources. The most common challenge to implementing FAIR cited in our research is the difficulty of getting the project off the ground, some likening it to “an academic science project.”
- When firms try to boil the ocean, they achieve little. One commonality for failure is starting with a scope that is far too large. CRQ works most effectively when the scope of analysis is contained and drives a specific management decision. Clients that have succeeded often respond to specific scenarios such as a budget challenge, a prioritization decision on a project, or a specific request about a specific topic (e.g., what is our exposure to a ransomware attack?). Security leaders should start by thinking of the specific questions and decisions that they can use to demonstrate the value of CRQ via a small pilot where the data can be quickly gathered and where the decision point being supported is clear cut.
This blog and report are the first of a stream of Forrester research planned for 2022. Those considering CRQ or who are implementing a CRQ program — as well as vendors supporting this market — should watch for the first major evaluation of the CRQ market to kick off mid-year. This research will help security leaders get insight into the right vendors with which to partner as they launch this crucial initiative.
Forrester clients can read the research outlining the CRQ market and the struggles security leaders are facing by reading the report here.