CRQ Lessons from EY and Balbix CRQ Lessons from EY and Balbix

April 11, 2024

CRQ Lessons from EY and Balbix

Recently, we concluded a webinar with EY. During the discussion, we covered how cyber risk quantification has become a focal point for many organizations, emphasizing its role in transitioning from technical jargon to actionable business intelligence.

Here are 4 key insights from our webinar:

#1 CRQ can help articulate communication with executives

While most users want to measure the impact of threats and exposures to understand the business implications of cyber risk, others see CRQ as a crucial bridge between managing cybersecurity efforts and articulating their impact on business performance to their Boards of Directors, facilitating clearer budget and resource allocation discussions. Furthermore, with Network and Information Systems Directive (NIS2) in full force and Digital Operational Resilience Act (DORA) regulations looming large on the horizon, it can help boards better understand the financial risk of non-compliance.

# 2 FAIR is a popular approach for CRQ but has drawbacks

The main drawbacks are that FAIR-based CRQ is a very time-intensive exercise, and users could spend months debating potential risks. It also isn’t actionable. Once you know and understand your risk findings, there isn’t a guided approach that provides insights into how you can reduce your risk. Ultimately, when CRQ isn’t done right, it could be dangerous because misinterpreting CRQ data can give a false sense of security and mislead decisions.

# 3 CRQ is not mature as a market or credit risk, but getting there

CRQ is gaining traction and becoming a significant consideration in the business and technological landscape. Although it’s not as advanced as market or credit risk management yet, it’s quickly catching up. Cyber risks are becoming more complex and fast-changing, and it’s increasingly important to get useful insights than to just collect data. CRQ is developing through better models and the use of AI, helping to manage and measure these dynamic risks more effectively. As organizations continue to use methods like the FAIR model and align them with rules and business practices, CRQ will be seen as a key part of managing risks and making strategic decisions.

# 4 Advancements in AI can dramatically improve risk quantification

Throughout the webcast, AI’s pivotal role in CRQ is emphasized, showcasing its ability to automate data analysis and enhance decision-making. AI facilitates dynamic risk management, adapting quickly to evolving threats, and improves communication by translating cyber risks into financial metrics for stakeholders. However, challenges like data quality and the potential for misuse are acknowledged. AI’s integration into broader business strategies is deemed crucial for a holistic approach to cybersecurity. The trend towards more advanced AI applications in CRQ reflects the growing need to manage complex cyber threats effectively.

Next Steps

Cyber Risk Quantification (CRQ) is rapidly evolving from a nice-to-have into an essential component of cybersecurity budgets. If you’d like to a board rock-star, request a demo of our CRQ capabilities here.