Cyber risk quantification (CRQ) is an approach to analyzing and reporting on cybersecurity risks that has grown in popularity over the past decade. One of the leading CRQ frameworks is known as the Factor Analysis of Information Risk (FAIR) model. The FAIR model posits that cybersecurity risk can be quantified in terms of its potential financial impact, just like any other business risk. The benefits to quantifying risk financially are that security leaders can communicate the impact of a potential cybersecurity incident in terms executives are familiar with and they can clearly demonstrate the effectiveness of their cybersecurity programs.
But CRQ isn’t one size fits all. In fact, quantifying cyber risk in financial terms can sometimes backfire, which, ironically, makes CRQ risky. ExtraHop sat down with three current and former CISOs to get their opinions on the merits of CRQ and how best to approach it: Sam Curry is the CISO at Zscaler and has over three decades of experience as an entrepreneur, infosec expert, and executive; Julian Cohen, former CISO at Ocrolus, began his cybersecurity career as a contractor for the Department of Defense before moving into the private sector; Jerry Perullo is the former CISO of the New York Stock Exchange, founder of Adversarial Risk Management, and Professor of the Practice at the Georgia Tech School of Cybersecurity and Privacy...read more!
