Blog Post

CRQ Journey Part 3: Communicable, Calibrated, Granular Results

January 11, 2024

Table of Contents

My journey to finding Kovrr had been packed with headaches and puzzles that many CISOs still face today. Within a few short years of being the CISO at Avid, a content-creation software provider, I managed to implement tighter security controls and develop a framework that enabled objective progress measurement.

However, I constantly faced an impasse when attempting to communicate these achievements with the board. The technical terms of the CIS and NIST compliance metrics took a lot of work for me to translate and for them to get through. To learn more about my various efforts to facilitate a common understanding, read Part 1 and Part 2. 

Finally, after one too many board meetings that ended in frustration, I met with Yakir Golan, CEO and Co-founder of Kovrr. In my first discussion with him, I knew that his team’s financial risk cyber quantification platform was the solution I had been looking for all along.

Providing innovative and more detailed insights into the financial impact of cyber events, I knew this tool would finally enable me to paint a picture of my team’s efforts in a way the higher management could understand.

 

Chapter 8: Predicting the Future With Proper Calibration

One major difficulty for those in the business of measuring risk, whether cyber, legal, environmental, or any other type of potential loss, is that the future is hard to predict accurately. Because of that, risk assessors must use probabilities to discuss what might occur in the upcoming year. 

While these probabilities are based on real-world historical data, the result is not a definitive answer but rather an estimated path, similar to how we try to predict where a hurricane lands onshore with a wide path rather than a thin line. This is why it's so important to work with a trustworthy risk evaluation platform that can provide the most objective, unbiased data. The more precise information used in the risk model, the closer the assessment can reflect the future. 

Accepting an Uncertain Reality

ISO 2700x is a family of international standards many global enterprises use to build and assess their cybersecurity program. ISO  also released a risk management standard family, ISO3100x, and in it, the risk is defined as the "impact of uncertainty on objectives." An organization can't defend against what it doesn't know. 

To put it another way, when an enterprise has a goal it's trying to achieve, the more it doesn't know on the way to achieving this goal, the lower the chance of the goal being achieved, but even small amounts of knowledge will have a positive effect, and this effect is cumulative!

Initially, this slow progress in reducing what we don't know frustrates some about cyber risk quantification, believing that the process is a waste without the ability to come up with a single, precise number. Fortunately, there is a remedy that can alleviate this skepticism. 

The Power of Calibration

Generally, risk quantification assessments produce a range of likely event occurrences, similar to the predictions of the hurricane path I mentioned earlier. For instance, in the cyber landscape, an organization might face a 10% to 15% probability of experiencing a ransomware attack within a year. While a risk assessment can never provide an exact number, there are strategies one can implement to predict the financial damage and allow the company to prepare better. 

In their book How to Measure Anything in Cybersecurity Risk, Douglas W. Hubbard and Richard Seiersen discuss that humans, on average, are poor guessers. For instance, a gambler at a casino has less than a 50% chance of winning when placing an outside bet in a round of roulette. Moreover, this success rate remains roughly the same even when predicting outcomes of everyday life decisions. 

The good news for both regular humans and risk quantifiers is that we can learn to guess at a higher accuracy rate via a process called “calibration.” In short, we can become better guessers by equipping ourselves with objective data, measuring it correctly, and avoiding the usual biases that arise during analysis. Hubbard and Seirsen argue that calibration can allow us to get as accurate as 90% in guessing.

Calibration in Financial Cyber Risk Quantification

In the context of financial CRQ, a model will never be able to specify a single dollar amount for loss or a single probability an event will occur. It will, however, give you estimates within a range, and the better calibrated the model is, the sharper this range will be defined. 

Therefore, when choosing a CRQ solution, a provider with the most objective, unbiased data will produce the most precise results. Just as highly seasoned meteorologists predict the path of tropical storms and depict their projection of the range of directions they might take, so too can calibrated risk quantification models reveal the possible outcomes of a cyber event. 

Chapter 9: Finally Speaking in the Boardroom’s Language

The corporate governor's board is familiar with assessing projections with calibrated models. Budget planning, for instance, is based on revenue and sales and uses those objective numbers to predict a range of profit for the upcoming year. Similarly, Kovvr's CRQ platform allowed me to speak in that same projection language my boardroom is accustomed to.

Best of all, as opposed to using the general data I had found in the IBM study, Kovrr allowed me to depict a much closer, more detailed picture of the cyber risks Avid was facing. Simultaneously, I equipped my team with the power to generate highly targeted threat projections and communicate these risks in a language the people who were responsible for approving our budget could understand. 

Chapter 10: Running the Numbers With Kovrr

Eager to bring financially quantified insights to the board, I started to work with the Kovrr team to be able to integrate Avid's cybersecurity information with the CRQ platform. They helped guide me through the process and made sure they had access to the various aspects of my organization that would contribute to a more accurate assessment. 

With their extensive experience in cyber risk quantification and cyber insurance, Kovrr knows the significant components for calculating risk loss projections. Among others, these include the type of cyber environment a company has, the number of records, and the location of these records. 

Additionally, Kovrr's platform takes into account an organization's existing security compliance maturity levels. This feature allowed me to upload my NIST compliance results within the system. Because we used both NIST and CIS, I also could have integrated my team's CIS levels. However, I found that NIST provided a more realistic assessment overall, as my CIS measurements were less calibrated. 

The Monte Carlo Simulation

Combined with Avid's internal cybersecurity, Kovrr uses its privileged data set, including large-scale insurance information and offerings, to perform a Monte Carlo simulation. This statistical approach enables a risk evaluator to understand the range of possible outcomes, which, in this case, were the potential cyber risk incidents in the upcoming year. 

Kovrr leveraged this simulation to predict Avid's cyber risk vulnerability within a yearly period by pretending to live that year 25,000 times. At the end of the simulation, we were presented with insights like average annual loss, biggest loss scenario, and probability of annual events. We also were able to review the probability of specific event types occurring and how much each might cost the company. 

Determining Risk Appetite

No matter how robust a security program is and how much budget is allocated for security initiatives, there will always be some amount of loss. This remaining risk, calculated in the scenario where all security measures have been applied, is called the residual risk. With this calculation, Avid was able to determine its risk appetite. 

Once we knew this risk from a financial perspective, we could start planning our budget for the upcoming year. This metric gives the Chief Financial Officer a more accurate view of the company's overall ROI and enables sharper projections for the boardroom.

Chapter 11: Helping Avid Prepare for a Safer Tomorrow

Thanks to Kovrr's unmatched insights into the frequency and severity of cyber events according to specific business types and geographic locations, my team now had access to the most essential pieces of information. The CRQ platform showed our expected annual loss and the worst-case scenario. It also showed us how much a new cyber initiative would save us in case of an event. 

With Kovrr's cyber risk quantification platform, I finally could justify new cybersecurity programs. I explained in a language the boardroom understood why a particular program would yield a positive ROI and how my team's efforts were directly contributing to the company's overall revenue. 

With the board members and C-suite, we developed a suitable cyber budget that would cost-effectively allow us to protect ourselves against higher-impact risks.

If you’d also like to start providing your boardroom with accurate, unbiased risk data and communicating with them in a language they understand, schedule your free Kovrr demo today.

Dmitriy Sokolovskiy

Kovrr Advisory Board

No items found.
Industry Recognition