Q&A: Julian Meyrick on IBM Security’s Risk Quantification Services
September 22, 2020
New Risk Quantification Services from IBM Security will enable clients to set cybersecurity spending priorities by leveraging the same analytics used to make other business decisions. The ability for CISOs (Chief Information Security Officers) and CSOs (Chief Security Officers) to quantify risk will become critical as businesses migrate to the hybrid cloud, and as they continue to pursue mergers and acquisitions – where fewer than 40 percent of companies perform cybersecurity assessments as part of due diligence, according to the 2020 IBM Institute for Business Value (IBV) report “Assessing Cyber Risk in M&A.” We spoke with Julian Meyrick, Vice President, Security Strategy Risk & Compliance, IBM Security, about IBM’s new Risk Qualification Services.
How do the new Risk Quantification Services work?
IBM’s Risk Quantification Services examine risks from two perspectives, and then evaluate their business impact based on two critical factors. First, we determine the likely frequency of a cybersecurity threat to our clients, and then assess the potential impact of such threats. After that, we examine at least two types of business impacts: potential costs of a security breach within the organization, and the potential costs outside the organization such as fines or damage to a client’s reputation. To do this, we will evaluate, for example, a breach’s internal effect on productivity, plus the costs of addressing the problem and potentially having to replace or recall products. In addition we will quantify any external losses from the standpoint of damaged reputation or regulatory fines.
Every client I’ve talked to is interested in this. So we’ve adopted assessment and operational frameworks from the Factor Analysis of Information Risk Institute (FAIR) quantitative approach to cyber risk management. FAIR has more than 9,000 members and 20 chapters worldwide, its protocols complement those of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and it has been recognized by the National Institute of Standards and Technology (NIST) as complementary to that agency’s standards. So these are not just niche capabilities. IBM supports FAIR because it’s non-proprietary. We think these standards will change the industry, and therefore they need to be useable by everybody.
Only 27 percent of CISOs and CSOs are decision makers when it comes to their organization’s security, technology and policy. So when they start talking about cyber security risk in financial terms, they’re going to be better able to justify their numbers. The business side is going to be more investigative than when the metrics were just “red, amber or green” – which is not a very effective way to express risk in business terms. The good news is that the demand for quantification will create opportunities for CISOs and CSOs to explain the differences between different types of risks in business terms.
The FAIR (Factor Analysis of Information Risk Institute) model that IBM’s Risk Quantification Services supports.
How will Risk Quantification Services complement IBM’s other cyber security offerings?
We will build risk quantification into our Security services and into our Security products going forward, with some of IBM’s products starting to use some of the risk quantification terminology. We want to help clients build risk quantification capabilities, and then help them enhance those capabilities going forward. This is a movement that’s building momentum in the information security profession, and it’s solving a problem that’s been around for some time – the challenge for business leaders to understand cybersecurity in business, rather than technical, terms.
What are some potential use cases for IBM Risk Quantification Services?
The journey to hybrid cloud is a key use case in which clients can quantify the risk reduction they’re going to get as a result of moving to the cloud. Organizations often don’t realize how vulnerable they are, and they may not be aware that they can expose themselves to security risks if they misconfigure their cloud implementation. IBM’s Risk Quantification Services can quantify the risks of improper cloud configuration and data management.
For example, we’re already conducting risk quantification along with our IBM Cloud for Financial Services offering. We’re helping financial institutions build Cloud Security Centers of Excellence that advise and support them in their digital transformation. We can quantify the risk reduction clients will realize by moving to the hybrid cloud. And that really helps organizations prioritize where they want to focus on their hybrid cloud journey.
M&A is also an important use case, as clients seek to quantify the risks associated with an acquisition. Insights from our Risk Quantification Services can enable a merchant bank to consider reducing its offer price because of an associated security risk. I’ve had CISOs and CSOs tell me that they aren’t told about mergers and acquisitions until the Street is told, and that within days of a new acquisition they’ve had breaches, and need to divert resources to manage those problems.
How can quantifying risk help businesses during the pandemic?
Assessing risks associated with large numbers of remote workers is another use case for IBM’s Risk Quantification Services. Obviously, the pandemic caught many organizations by surprise, and they had to scramble to provide remote work capabilities for their employees. Many CISOs and CSOs are still in catch-up mode, and our services will enable them to quantify some of the new risks associated with having a remote workforce. Having that information – and being able to share it with business leaders in language they understand – will be critical to an organization’s decisions about the future of work.