Two Decades of Cyber Risk Quantification

November 16, 2023

Webinar Highlights: Uncommon Wisdom - Lessons from Two Decades of Cyber Risk Quantification

Last week, I hosted a webinar on Cyber Risk Quantification (CRQ) with Chris Novak, a world-renowned cybersecurity executive at Verizon and advisor at CISA, along with Gaurav Banga, the Founder and CEO of Balbix. The recording is available here:

Who was on the webinar:

Our attendees were primarily executive and senior management leaders, CEOs, CTOs, CISOs, and SVPs, mainly from US public companies. A significant portion of the participants came from Fortune 1000 companies, highlighting the importance and relevance of CRQ to leaders across the board.


75% of our attendees indicated they are about to start or evaluate a CRQ tool. During the conversation, we discussed the success criterion for evaluating CRQ tools.

Moreover, 95% indicated they are using a rudimentary form of CRQ, i.e., risk scores or a low, medium, or high rating. While this isn’t surprising, subjective risk scores are more complex to communicate and justify.

Overall, there were three key takeaways:

#1 CRQ is not a capability; it is an enabler

CRQ should be like radar, providing real-time insights into cyber risk and guiding teams to navigate these risks like radar helps pilots avoid hazardous weather.

Examples of a few outcomes that CRQ helps you achieve:

  • It facilitates cyber risk conversation with the board, ensuring alignment on areas of risk and required security budgets.
  • It allows you to quantify how effective the security controls have been in the past and demonstrate the ROI of security investments.
  • It enables organizations to communicate risk effectively across stakeholders by translating risk into dollars.

CRQ also provides a lens for what we’re doing in cyber, showing that it is effective and helping us reduce risk.
– Chris Novak

#2 CRQ is a journey

Reflecting on CRQ’s implementation challenges, Chris Novak observed-

‘There is a lot of challenge in implementing CRQ in terms of the maturity that comes with it in terms of moving away from ‘High,’ ‘Medium,’ ‘Low,’ or ‘Yes/No’ kind of older school ways.’

Implementing CRQ starts with defining the outcome you want to achieve and then addressing three dimensions:

  • Data Gathering and Improvement: The journey involves progressively gathering more relevant data, starting with a limited scope and gradually improving to capture a broader, detailed view.
  • Shift in Mindset: CRQ implementation isn’t just a technical change but also a cultural and mindset shift within the organization.
  • People/Skills Development: This dimension acknowledges the need for training and time for teams to adapt to a more data-driven approach.

CRQ is a journey, but that journey will not take you anywhere until you know where you want to end up. What’s the outcome you want to deliver?
– Gaurav Banga

#3 CRQ can help organizations address SEC cybersecurity rule

Regarding the new SEC cybersecurity rule, Chris Novak observed:

‘We’ve seen a lot of organizations, especially with the recent SEC regulations, and a lot of organizations are taking a kind of new look at their capabilities as it relates to cyber risk quantification, and saying, “What do we have? What can we do? Who do we lean on? How do we engage?”‘

How does CRQ help address the SEC’s requirements?

      • It helps determine the materiality of a risk or incident by translating cyber risks into monetary terms.
      • It helps articulate cyber risk posture in 10-K disclosures and provides clear guidance on risk exposure.
      • It enables trust by producing traceable and actionable output, allowing you to not only quantify risk but also identify the issues driving the risk.

What’s next:

If you want to learn more, sign up for a 30-minute demo of Balbix’s CRQ.