Monetary Risk Quantification – Cyber Webinar Series Recap
For three successive weeks, Evolver cyber executives hosted a popular webinar series entitled Navigating Cyber through Monetary Risk Quantification. The three sessions covered the topics of monetary risk quantification as it applies to: purchasing cyber insurance, technology investment, and managing vendors.
Cyber Insurance Webinar Highlights
Chip Block and Ed Peck presented overall concepts of risk quantification through the use of the software tool RiskLens. RiskLens, when combined with following the FAIR Institute standards, allows business executives to understand if they have enough cyber insurance, what asset classes are at risk, and the relevant threats associated with that risk.
One highlight of the webinar was a series of questions that need to be addressed before buying cyber insurance:
- What are my critical assets and how much are they worth?
- What are the retroactive dates of the policy?
- What threat actors and threat actions are covered? (e. insider, nation state)
- How does the cyber policy cross with other insurance such as E&O and D&O?
- What should I insure and what should I fix?
[Watch recording of Cyber Insurance Webinar]
Technology Investment Webinar Highlights
Chip Block and Tim Rudolph talked about the importance of monetary risk quantification before technology investments are made, whether tools or products. The webinar included an actual example of a technology investment of quantification that included external facing devices, an SQL database, and the drop in risk with a Carbon Black implementation.
Of special importance in considering technology investments are these concepts:
- Getting the right size technology – and not all solutions are technical
- Realizing that compliance doesn’t always equal security
- Protecting the data, not just your perimeters
- Understanding the balance of security vs cost
- Knowing what to buy vs what to insure
[Watch recording of Technology Investment Webinar]
Vendor Management Webinar Highlights
Chip Block and Ed Peck returned to complete the cyber webinar series with a focus on monetary risk quantification as it relates to managing vendors. One key concept they noted is the long held belief of a giant checklist. CISOs and CTOs use this giant checklist to make sure everything is running properly on their IT systems, like ports on servers, passwords, version of software, and more. And then, they want to think: “Now I’m done and have checked them all off. Now I’m secure, and I’ll do it again next February.” As Chip commented, “That is the world we live in and it doesn’t work.”
Instead, the cyber expert pair offered the concrete example of how to determine the level of monetary risk each vendor type poses to the organization. They offered a tiered approach for vendors where highest risk vendors would require a true internal look at their cybersecurity posture, whereas a low priority vendor might only need to have annual surveys or use an external service like BitSight.
In a tangible example of monetary risk quantification as it applies to vendor management, Ed offered this scenario:
Business that has web portal to backend database containing 10 million credit card numbers
- Last year, moved database to 3rd party hosting organization
- Recently discovered that the 3rd party hosting had a data breach in one of its hosted databases
- Subsequent independent cyber assessment, discovered seven discrepancies at vendor
During the webinar, Ed was able to demonstrate the risk exposure to the business if they moved the database to a hosting facility.
In a wrap up statement, Chip warned: If you are not doing quantification of your vendors, you’re wasting a lot of money, and you’re even more vulnerable than you think.
[Watch recording of Vendor Management Webinar]
In today’s world cyber is business. Monetary risk quantification ties the two together.
Evolver works with the CRO, CISO, and business leaders to identify key business risk elements. Then we apply the Factor Analysis of Information Risk (FAIR) model to determine quantitative risk.
Once risk has been reduced and transferred appropriately, Evolver’s cybersecurity services come into play with:
- Cyber assessments
- Policy reviews
- Penetration testing
- Vulnerability analysis
- SOC/NOC operations
- Monitoring tools
- Technology refresh
- Threat management