Virtualization Technology News and Information
RiskLens 2023 Predictions: Four Risk Management Predictions


Industry executives and experts share their predictions for 2023.  Read them in this 15th annual series exclusive.

Four Risk Management Predictions for 2023

By James Graham, Vice President of Communications and Marketing, RiskLens

Last year, I offered a few predictions for the risk management space from our risk enthusiasts at RiskLens.  With the start of 2023, there is evidence that the cybersecurity industry is moving in many of the directions we anticipated.

Our primary prediction from last year proposed that the demand for understanding risk in financial terms would grow. It's clear that this is happening, both due to a growing number of CISOs who see the value of communicating cyber risk in business terms, and due to expected regulatory changes, such as the latest Securities and Exchange Commission (SEC) Public Company Cybersecurity Proposed Rules.

Here's a quick rundown of our predictions for risk management in the year ahead.

Continued Primacy of the Factor Analysis of Information Risk (FAIR) Model

The cyber risk quantification market saw a marked increase in the number of organizations providing offerings in 2022, and these offerings come with proposed models that claim to improve upon FAIR. However, when put to the test, almost every one of these proposed models were found wanting when held to the standard FAIR has set as an open-source model providing transparent and therefore defensible calculations, results and, by extension, cybersecurity decisions.

We expect these kinds of challenges to and critiques of the FAIR model to continue to surface indefinitely, and expect challengers to continue their efforts to conceive of a better way to quantify cyber risk. That said, we also expect these alternatives to fall short on the most important aspects of such a model: transparency and defensibility.

Increased interest in and demand for the FAIR Controls Analytics Model (FAIR-CAM)

This is an extension to a prediction we made last year, based on the enthusiasm and engagement we saw in the wake of Jack Jones's introduction of FAIR-CAM at last year's FAIR Conference. The impact was clear as the conference returned in 2022, where nearly one-third of the agenda, led by security and risk leaders and practitioners, centered on the need for, and strong desire to implement FAIR-CAM.

We only expect to see the intense focus on controls analytics and FAIR-CAM to increase in the coming year, and to grow well beyond the FAIR community.

Increased Desire for FAIR Automation

While quantifying risk using Factor Analysis of Information Risk (FAIR) is still very much a programmatic, enterprise-scale activity for larger organizations in highly regulated industries, these organizations, along with their smaller counterparts, are searching for ways to automate the quantification process, to gain efficiencies of scale and to implement FAIR more deeply into their security operations and strategy.

We expect that the focus for large and smaller organizations alike in 2023 will continue to tighten around automating FAIR, including asset discovery, data ingestion and risk remediation, to bring the promise of FAIR-based, risk-focused decisions to their operational security teams.

Laser Focus on Quantifying Operational Risk of Digital Transformation

According to IBM, 86 percent of more than 3,000 organizations surveyed said they have witnessed at least some of the benefits of cloud computing.  As more organizations shift to this way of doing business, they will do so with an increasing need to make new and often unfamiliar decisions about how to secure those assets, workloads and data.

We expect a growing number of security teams and leaders to seek out solutions that incorporate all of the aforementioned themes - the continuing need for a quantified view of cybersecurity risk, an open and defensible model, integrated control efficacy with FAIR-CAM, and automation of FAIR-based analyses - as the new standard for measuring their operational cybersecurity risk, starting in the cloud, and ultimately extending to everywhere else.



James Graham 

James Graham leads the RiskLens communications and marketing team, responsible for full-spectrum go-to-market strategy and execution in support of the company’s brand, demand, public relations, content, partner marketing, events, and sales enablement functions.

Prior to joining RiskLens, Graham served in communications and marketing leadership roles in the cybersecurity space, including roles at Verisign, RSA and Mandiant. He is a veteran of the U.S. Army and holds bachelor’s and master’s degrees in English from George Mason University.  Graham resides in Northern Virginia with his wife and four children.

Published Friday, February 03, 2023 7:31 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<February 2023>