Cyber managers can do more with less, but to do so they need to quantify cyber risk and use the information to make smart choices that protect the business’s security, privacy, and cash flow.
Seventeen percent of the executives in our Global DTI survey have quantified cyber risks, and are realizing benefits from doing so. For instance, a highly acquisitive company that quantifies cyber risks can evaluate deal opportunities faster and more systematically. A financial institution that handles millions of transactions a day can do daily and weekly threat and vulnerability assessments — staying alert to the performance of underlying controls and any need to reallocate resources.
Cyber risk quantification is not for the faint-hearted, with many obstacles in the way: lack of a widely accepted model, lack of people who understand cyber and risks from a business lens, and lack of scalability. Nevertheless, nearly 60% are beginning to quantify risks or have implemented at scale. And nearly everyone else (17%) plans to begin risk quantification within the next two years.
The economics of cybersecurity has long focused on the cost side (compliance, updating capabilities, and so on). This must change. The cyber strategy reset — considering cybersecurity in every business decision — means connecting cyber budgets to overall enterprise or business unit budgets in a strategic, risk-aligned, and data-driven way.
Putting a dollar amount on the value of a cyber project, in terms of risk reduction or less costly compliance, allows comparison of the costs and value of cyber investments so they can be prioritized. Quantification also makes it easier to measure the value of the overall portfolio of cyber investments against business objectives. This kind of rigor and sophistication will be increasingly demanded — especially as the markets and regulators hold CEOs and board members more accountable for cybersecurity and privacy.
“The circumstances we find ourselves in with the economy are putting a lot of pressure on security organizations to make sure that the investments we're making are efficient and high-value.”
Partner, Risk assurance leader, PwC Kazakhstan
Tel: +7 727 330 3200
Senior Manager, information security and information technologies, PwC Kazakhstan
Tel: +7 727 330 3200 (ext. 3727)
Manager, information security and information technologies, PwC Kazakhstan
Tel: +7 727 330 3200 (ext. 3927)
Manager, Risk assurance services, cybersecurity and information privacy, PwC Kazakhstan
Tel: +7 727 330 3200