Rome wasn't built in a day. It took architects, city planners, and laborers many years to construct it, making small developments every day. Just as with Rome, cybersecurity programs, too, require significant time and investment to come to fruition. ‍ However, without knowing their initial cyber risk exposure, it can be challenging for stakeholders to comprehend the full value that cybersecurity initiatives have already delivered to the organization.

Cybersecurity's overarching purpose is to better protect an organization against cyber events. However, especially in the corporate setting, it's not enough for chief information security officers (CISOs) to say they've implemented a patch or a firewall and, therefore, their systems are "more" secure. Not only is the result’s description vague, but it also offers very little insight into its ROI. ‍

The Securities and Exchange Commission (SEC) in the United States approved their cyber rules on July 2023, originally proposed in March 2022 for public comments (SEC, 2022; 2023). This has sparked many conversations about how the board of directors and executive management should think about cybersecurity and to what extent public disclosures should be made about cybersecurity incidents and risks. Most notable among them is the requirement that material cyber incidents be reported within four days.

Whether it’s supporting initiative prioritization, as discussed in Part 1, or justifying budget requests, pursuing cost-effective strategies, and calculating risk appetite levels, as discussed in Part 2, CRQ has the power to transform an organization’s mindset to include cybersecurity in strategic risk planning conversations. This transformation, known as a Shift Up strategy toward cyber management, has become more critical than ever as cyber threats evolve.

Conducting business, no matter in which industry, is innately risky. Historically, some of the primary drivers of this business risk included natural disasters, hardware and inventory theft, legal and compliance regulations, and economic downturns. However, in the midst of the digital age, cyber threats loom as one of the most prominent forms of organizational uncertainty, housing the potential to cause trillions of dollars in damages.

‍Cyber risk quantification (CRQ) is the process of attributing numerical values to a cyber event's impact on an organization. When defined in financial terms, these values enable enterprises to assess and manage their cyber risks at the operational level.

Pursuing a cybersecurity initiative takes more than a simple decision made by an organization’s chief information security officer (CISO). It requires resources, time, and, most crucially, buy-in from an organization’s key stakeholders, such as C-suite executives and board members. But trying to persuade the budget approvers while speaking in the technical language of cybersecurity can be off-putting. ‍

Organizational leaders have generally viewed cybersecurity as a costly yet essential business function and recognize that Chief Information Security Officers (CISOs) and other cyber leaders make strategic decisions to safeguard the company's digital assets. Still, until recently, these higher-level executives have never sought to make sense of the technical cyber activities in a broader business context, believing their value to be too complex to discern. ‍

My journey to finding Kovrr had been packed with headaches and puzzles that many CISOs still face today. Within a few short years of being the CISO at Avid, a content-creation software provider, I managed to implement tighter security controls and develop a framework that enabled objective progress measurement. ‍ However, I constantly faced an impasse when attempting to communicate these achievements with the board.