Virtualization Technology News and Information
RiskLens 2022 Predictions: Four Predictions for Cyber Risk Management in 2022

vmblog predictions 2022 

Industry executives and experts share their predictions for 2022.  Read them in this 14th annual series exclusive.

Four Predictions for Cyber Risk Management in 2022

By James Graham, Vice President, Marketing, RiskLens

As a team of not only risk experts, but risk enthusiasts, we at RiskLens think and talk a lot about the future: of the quantification movement, of the FAIR model, and of the risk management industry, to name just a few. Looking back as we wrap up 2021, there have been more than a few signs of things to come in our space. Here are some of our predictions for 2022:

The Demand for Risk in Financial Terms

We expect an increasing number of boards to begin to ask CISOs for a quantified view of their organization's cyber risk.  To secure the funding necessary to thwart today's increasingly sophisticated cyber attacks, CISOs are being required to quantify their risk to help prioritize and justify proposed security initiatives. They can expect this demand to surface sooner than later, given the new Gartner survey finding that 88 percent of boards of directors now view cyber risk as business risk.

The unknown factor continues to be whether CISOs will be ahead of or behind this demand. In many organizations, CISOs still aren't effectively communicating in the financial language of the business: loss exposure, expressed in ranges of likelihood and accompanied by impact measurements in dollars and cents.

The Effect of Security Controls on Reducing Risk

We expect an increased focus in the cyber risk quantification movement on extending risk management to better understand the effectiveness of cyber security controls. Proponents of FAIR (Factor Analysis of Information Risk), the international standard for quantification of cyber and technology risk, have long been looking for a way to accurately weigh control effectiveness in their assessments.

The introduction of the FAIR Controls Analytic Model, or FAIR-CAM, at the 2021 FAIR Conference by Jack Jones, the author of FAIR, is proving to be a strong influence. FAIR-CAM documents how the controls physiology functions by categorizing controls for their effect on the frequency and magnitude of loss events, the critical factors for risk in FAIR analysis. The FAIR community will likely grow even more interested in FAIR-CAM as the industry innovates and introduces ways to operationalize this critical new model.

The Need for FAIR-ready Data

We expect security and risk leaders will increasingly look for quicker and easier ways to integrate, incorporate and include hard risk data to help them more quickly and easily assess risk using FAIR. Among the evidence supporting this expectation is a recent study conducted by the Professional Risk Managers International Association (PRMIA), which found that data quality issues were among the top-rated frustrations of nearly 60 percent of the risk teams surveyed.

FAIR is an analytical model, and (rightfully) requires data to estimate risk in financial terms, and we hear this same challenge in our conversations with CISOs, Chief Risk Officers and risk management practitioners in organizations of all industries and sizes.  In fact, we have introduced new data-centric capabilities to help CISOs access and use hard data to quickly and easily understand their risk exposure in financial terms.

The Cyber (Risk Management) Skills Gap

We expect the cybersecurity skills gap, while shrinking slightly throughout 2021, will continue to materially and negatively impact risk quantification capabilities, teams, and requirements across the entire cybersecurity industry. A proof point to this effect comes from a survey of 4,700 security professionals in the (ISC)² 2021 Cybersecurity Workforce Study. One third of respondents identified "not enough time for proper risk assessment and management," as the second-most-damaging effect of cyber skills shortages, eclipsed only by "misconfigured systems."

We expect the effects of this shortage on risk management capabilities, combined with the increased demand for its prioritization, will create enormous pressure on risk-conscious organizations to look for easier solutions. One option could come in the form of managed services, where experienced experts can be hired to manage the processes, technologies and reporting needed to maintain a cyber risk quantification program.



James Graham 

James leads the RiskLens marketing team, responsible for full-spectrum go-to-market strategy and execution in support of the company’s brand, demand, public relations, content, partner marketing, events, and sales enablement functions. Prior to joining RiskLens, James served in marketing leadership roles in the cybersecurity space, including roles at Verisign, RSA and Mandiant. James is a veteran of the U.S. Army and holds bachelor’s and master’s degrees in English from George Mason University.  He resides in Northern Virginia with his wife and four children.

Published Thursday, January 06, 2022 7:32 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<January 2022>