Cyber Risk Quantification (CRQ) is the practice of quantifying the financial impact of cyber risks. Corporations that use CRQ can establish the potential costs of their various areas of cyber risk exposure. Managed Security Service Providers (MSSPs), who are increasingly taking over cybersecurity duties for corporate clients, may also want to employ CRQ when engaging with their clients. With CRQ, the MSSP can justify the suggested cybersecurity program, provide alternatives to the clients with true correlation to risk reduction and track the progress of the program throughout the year.
The best MSSPs offer a comprehensive range of cybersecurity services that provide end-to-end protection. With CRQ ,MSSPs can help their clients mitigate losses by understanding the financial impact of a cyber incident and play a key role in helping businesses return to normal operations after a breach. Additionally MSSPs can play an important part of an organization’s cyber renewal process and help better negotiate cyber insurance premiums and deductibles, by making sure you have the necessary controls and resilience insurers are looking for in their underwriting processes.
CRQ involves the analysis of financial losses incurred by peer firms in an industry for a given category of risk. The CRQ process arrives at its cost estimates using data from insurance claims, along with other sources of information about the costs of cyberattacks. Then, combined with a review of the company’s specific state of cyber readiness and history, the CRQ analysis can determine potential costs of dealing with threats like ransomware, email-borne attacks, compromised endpoints and data exfiltration, along with compliance issues related to laws like GDPR, damage to IT assets and more.
MSSPs could use CRQ with a client, with the client asking, for example, for the MSSP to identify the most serious risks it faces. The MSSP could then make mitigating those risks the highest priority in their service arrangements. If CRQ reveals that ransomware is a million-dollar risk, versus other risks that would cost a fraction of that amount to handle, then the wisest path would be for the MSSP and client to agree that ransomware defence is the most important workload and with the most lucrative ROI.
CRQ enables the MSSP and its client to discuss cybersecurity using money as a practical, common frame of reference. This is advantageous for both parties because it avoids the frustrating experience of stakeholders from IT, security and business talking past each other using terminology and concepts that are not well understood by the others. Everyone understands money. CRQ makes what can be an esoteric dialogue about security into a relatable conversation about cost.
CRQ enables MSSP to engage with its clients and match service budgets to risks. Instead of telling the client, “We can monitor your infrastructure for evidence of ransomware for $5,000 a month,” the discussion is more like, “For $5,000 a month, we can mitigate an attack vector that could cost you a million dollars.” Alternatively, the MSSP could suggest budgeting a service to match the estimated cost of a risk. If a DoS attack is projected to cost the client $10,000 to remediate, then the MSSP might want to scope its DoS detection service to align with that level of financial risk.
The decision to outsource some or all cybersecurity services to an MSSP comes from an analysis of spending versus value received. If a corporation elects to spend a million dollars a year on an MSSP, they will (or should) compare that outlay with what it would cost them to do the work in-house. The spend will also get compared to the value of the service to the business. If the MSSP charges a million dollars, will it provide more than a million dollars’ worth of cyber defense? CRQ can help answer this question, offering a measure of return on investment (ROI) for the MSSP’s services.
The client does not hire the MSSP to perform security services. Rather, the MSSP is engaged to solve a problem, which usually arises from the client’s lack of security personnel. The client needs security, not services. For this relationship to work, it has to be based on trust.
Cyber Risk Quantification can be a key factor in establishing a trust-based client relationship. By enabling the MSSP to show, in clear financial terms, how it is creating value for the client, CRQ provides the basis for trust. The client feels that the MSSP cares about its budget relative to risk—that the MSSP is defending the client where it matters most, not just where the MSSP stands to make money.
Kovrr Quantum provides MSSPs with a financial cyber risk quantification solution. Quantum leverages global threat intelligence and financial impact data from cyber incidents. It gives MSSPs and other stakeholders the ability to drill down into cyber event examples, examining risk vectors associated with attacks that are common in the target’s industry, along with industry-specific types of damage and other relevant data.
Get a Free ransomware analysis report at https://www.kovrr.com/cyber-risk-quantification-report