Cyber Risk Quantification (CRQ): Adoption And Impacts
How are organizations employing cyber risk quantification (CRQ) methods and tools, and what are the benefits so far? Discover the challenges and impacts of CRQ adoption identified by technology leaders.
One minute insights:
- Cyber insurance and compliance reporting are the most reported use cases among surveyed leaders
- Over three-quarters of respondents at organizations that have adopted CRQ have increased their investment in it
- Many face challenges related to stakeholder perceptions of CRQ and scoping issues
- Respondents commonly turn to third-party service providers or consultants for CRQ
Most surveyed leaders use CRQ for cyber insurance or compliance purposes
Over half (53%) of respondents list cyber insurance or compliance reporting among their use cases.
Other use cases commonly reported by surveyed leaders include prioritizing or optimizing security spend (45%), improving communications with the board or leadership regarding cybersecurity (40%) and prioritizing different risks (35%).
Question: Please share any final thoughts on your organization's experience with CRQ.
Risk quantification is a must to get executive buy in and endorsement.
Early days, we hope to make this a standard way of reporting.
Nearly all respondents at organizations that adopted CRQ see beneficial results and many saw increased investments in this area
97% of surveyed leaders whose organizations have adopted CRQ (n = 208) say they have seen benefits in their organization as a result.
52% report that CRQ adoption has given the board/leadership greater confidence in the security function, and 51% say CRQ has made it easier to get risk owners to conduct remediation. Nearly half (46%) note that CRQ has improved IT/security’s understanding of cyber-risk exposure across the business.
Among those whose organizations have already adopted it (n = 208), 79% report that their investment in CRQ has increased over the past year.
Question: Please share any final thoughts on your organization's experience with CRQ
It requires a lot of effort and collaboration, but it’s proving to be worth it.
Our CRQ implementation has improved cyber risk management, communication with stakeholders, and alignment with business objectives. Continuous monitoring and strategic risk management are key takeaways from our experience with CRQ.
Stakeholders struggle to trust or understand CRQ methodologies
The most commonly reported challenge among respondents is that stakeholders struggle to understand CRQ analyses or recommendations (49%).
Over one-third (34%) of these leaders say stakeholders distrust the subjective nature of CRQ methodologies and 28% face difficulties due to a lack of variety in options for remediation.
Many surveyed leaders face technical challenges with scoping (45%) or integration complexity (42%). About one-third note deficiencies in automation (35%) or the availability of appropriate/defensible data (31%).
Question: Please share any final thoughts on your organization's experience with CRQ.
This is hard without the right internal understanding of potential costs. It is quite subjective.
Consultants often only consider a limited amount of physical security risks, which may not accurately reflect your operating conditions.
Use of third-party services or consultants for CRQ is common, and most strategies include post-assessment impact analysis
34% of respondents are using third-party risk assessment services for CRQ and nearly one-third (26%) are working with consultants for this purpose.
The CRQ tools most commonly listed by surveyed leaders are OneTrust GRC (23%), Resolver (19%) and RiskQ (17%).
Over half (56%) say their organization's strategy does or will include a screening process to identify which business decisions require CRQ assessments.
And almost three-quarters (70%) say their organization does or will have a post-assessment process to evaluate CRQ’s impact on business decisions.
Question: Please share any final thoughts on your organization's experience with CRQ.
It has to be implemented in a phased manner. A POC is important after the initial study so that an impact in the area can be demonstrated.
We've performed CRQ internally and then brought in an external firm to assist with our own. We found outsourcing to be much more effective in driving to value and deadlines. You should definitely do some analysis on the tooling that the company is using as well as the methodology they've implemented which leads them to the recommendations they provide you. Tools are easy to use — but experience is what leads to better recommendations.
Want more insights like this from leaders like yourself?
Click here to explore the revamped, retooled and reimagined Gartner Peer Community. You'll get access to synthesized insights and engaging discussions from a community of your peers.