In almost all areas of business and corporate management, we speak in terms of facts, figures and real fiscal currencies. So why do cybersecurity leaders opt for gradients (low, medium, high, critical) and colors (Green, Amber, Red… “traffic light” chart)?
This keynote will analyze the key reasons why qualitative risk methods and relative ratings are woefully inadequate and do not meet basic business needs; and delve into their weakness as it pertains to the inputs and conclusions.
Adding business context and factoring in criticality, potential revenue impact, and likelihood to occur are a start; however, vulnerabilities rated (relatively) based on their technical characteristics and overall exploitability will not build an accurate risk picture. Gavin will then expand on specific techniques on how to quickly adopt a meaningful quantitative risk management (QRM) methodology and framework that is not exclusively built around minimizing Annualized Loss Expectancy (ALE).
Specific working examples will highlight why ALE-based risk quantification is only a part of the equation. Further, the talk will expand on how using QRM can go beyond risk reduction to deliver measurable and quantifiable analysis to support business enablement and rationalize cybersecurity controls and investment levels.
In essence, his session will help business leaders to understand how to factor cyber risk and technology services risk into business risk in a meaningful, quantifiable fashion.