Why Cyber Risk Quantification Is ‘Becoming More Mainstream’

The evolving threat environment and growing regulatory pressures are prompting more organizations to begin measuring their cyber risk from a financial perspective, according to Optiv’s James Turgal.

Amid a convergence of factors including the intensification of both cyberthreats and regulatory pressures, more organizations are focusing on quantifying their cyber risk from a financial perspective, executives at cybersecurity powerhouse Optiv told CRN.

Increasingly, boards and C-suite executives are asking their solution and service providers for better ways to put a dollar figure on their cyber risk, which is transforming the way organizations handle budgeting and other forms of decision-making for cybersecurity, according to three executives at Optiv, No. 25 on CRN’s Solution Provider 500 for 2024.

In a nutshell, cyber risk quantification involves assessing and measuring the potential financial impact of cybersecurity-related risks to an organization. While the specific approaches can vary, such quantification typically involves analyzing the likelihood of various attacks, potential vulnerabilities within the organization's IT systems and the probable costs associated with such risks.

When it comes to cyber risk quantification, “historically, some companies have done it,” said James Turgal (pictured), vice president for cyber risk, strategy and board relations at Denver-based Optiv. But in 2024, “this is becoming more mainstream,” he said.

Turgal, who formerly served as executive assistant director for the FBI’s Information and Technology Branch, pointed to both the massive impacts from cyberattacks and the U.S. Securities and Exchange Commission’s cyber disclosure rules that took effect at the end of last year.

“The SEC guidelines for publicly traded companies are driving a higher level of conversation,” he said. “And certainly the number of [breach] victims and the high-profile victims out there are absolutely driving this conversation forward.”

In the past, quantification of cyber risk was frequently seen as optional by boards and C-level executives, who generally viewed security as a technical issue rather than a business matter.

However, as recent years have seen an explosion of disruptive ransomware attacks and highly consequential data theft incidents, more organizations are finding the incentives they need to quantify their cyber risk, Optiv executives said.

For many organizations, meanwhile, undertaking the exercise of cyber risk quantification also has relevance from a regulatory and insurance perspective.

The SEC reporting rule, for instance, requires publicly traded companies to disclose major cyberattacks within four business days of determining an incident is “material” for its shareholders.

“There's not a board presentation I do now where I'm not spending at least some time on, 'What are those rules? What is the SEC requiring?’” Turgal said. “That leads into the risk quantification conversation.”

In recent years, cyber insurance has become essentially another form of regulatory requirement for many organizations, and that likewise is helping to drive the push for quantification.

A major focus for Optiv recently has been around helping customers to quantify how making certain investments into cybersecurity can help to reduce cyber risk — as well as cyber insurance costs, said Dara Gibson, senior cyber insurance manager at Optiv.

“This allows for [the customer] to understand, ‘If I spend more here, I’m saving more here,’” Gibson said. “We’re looking at this as a strategy to identify those key components of risk, and see how [investments] for risk reduction can reduce financial burden.”

In this regard, Optiv has been working with well-known cybersecurity vendor SentinelOne to make it easier to quantify cyber risk for insurance purposes, she noted.

Using a tool from SentinelOne that can rapidly assess the security posture of a customer’s environment, solution and service provider partners such as Optiv can quickly generate a report that can be shared with insurers, said Barnaby Page, vice president for incident response and cyber risk at SentinelOne.

The vendor has mapped its telemetry to a widely used security framework, the CIS Critical Security Controls, and the reports generated by the tool can help to expedite the insurance process, Page said.

“Then the insurer can review that with the client and say, ‘Hey, this looks good,’” he said.

Saving Time

On the whole, quantifying cyber risk can enable organizations to have a more-informed decision-making process for how and where to allocate their budget, said Jason Lewkowicz, executive vice president and chief services officer at Optiv.

Part of the equation here is undoubtedly also that security expenditures can be justified when they help to ensure greater efficiency and time savings for security personnel, Lewkowicz said.

“If the technology that you're buying within the context of security is giving you the ability to more quickly identify and contain security incidents, that also equals time,” he said. “That time is saved in bringing systems back online — or of course, when those systems go offline, [you can determine] what the impact to revenue is to a business. So it all becomes quantifiable.”

Looking ahead, Turgal said he expects that the move toward embracing cyber risk quantification will only continue to increase.

So far this year, “the questions I'm getting from boards and from C-suites about the whole concept of risk quantification have increased probably 50 to 100 percent,” he said. “In the next year or so, as this trend continues, this will be more of a mainstream action and not just a conversation. I think we'll really be putting plans together to drive it forward.”