Everything Benefits from More Q

Written By Andrew shea

The letter Q is on my mind often these days. Primarily as it relates to what I’m building my business around but, as I look back in time, I can’t seem to escape it. Before I ever decided to orient my work around Cyber Risk Quantification,  Qs were already a big part of my life. 

Q Te Ching

The origins of Q in my life can be traced back to my dad. He exclusively read non-fiction literature. While I certainly saw merit in the texts he chose, I took a slightly more whimsical path, incorporating the grounding of the “real world” and extrapolating down some fictional paths. Most notably resulting in my love of science, spy\thrillers, cyber punk dystopia and science-fiction. This leads us to our first Q.

Q the Enigma 

The first Q I want to discuss is first encountered at “Farpoint.” Yes, I’m talking about my man from Star Trek as portrayed by the inimitable John de Lancie. Something about being an omniscient, time-traveling trickster drew me to Q. He reminded me of a certain enigmatic young man with whom I was acquainted.

Q was one of the most fascinating characters in the Star Trek canon to me. Showing up mostly unbidden, rhetorically jousting with Captain Picard, wearing fun anachronistic costumes; what wasn’t to love? As the resident trickster of the galaxy, Q’s schemes and plans often come across as harsh at first however they invariably impart an important lesson and lead to additional resiliency for the crew of the Enterprise D.  As an example, in one episode Q orchestrates the first formal contact between the Federation and the Borg. During the process 18 people lost their lives but the Federation was now aware of the Borg. They could begin preparing for the inevitable invasion from an overwhelming adversary. Without the canary in the coal mine, the organization would have been left open to greater risk due to a growing threat to which they were previously blind.

Whether or not I was aware of it at the time, the teachings of Q taught me a lot about Cyber Risk. If he could talk to us about it he might use this wonderful quote: “The trial never ends. We wanted to see if you had the ability to expand your mind to new horizons. And for one brief moment, you did. For that one fraction of a second, you were open to options you had never considered. *That* is the exploration that awaits you.”

Or perhaps he might say “The time to move onto a new way of looking at risk is upon us my friends! Seize the day, stop auditing and dive into quantitative analysis or perish!”

I may have taken some artistic license with this one, however that brings me to Q2.

Q the Master of Technology

The man getting all the love in the 007 series is James Bond. But let's be real, he is just not going to get it done without Q (the quartermaster of the British Secret Service MI6) and his merry band of technologists.

Q and his team are tasked with evaluating every possible threat and high risk scenario which our hero might come across. Their analysis ultimately results in a series of tools to mitigate those risks. It’s what I like to think of as “Q getting his Q on!”

Getting your Q on requires leveraging both quantitative and qualitative analysis and deep understanding of the threat landscape. While it has certainly been true that Q evolves his methods over the fifty plus years of the James Bond Franchise the distillation of this evolution was shown recently. In Skyfall, Q lets James know what’s what when he proclaims "I Can Do More Damage On My Laptop Sitting In My Pajamas Before My First Cup Of Earl Grey Than You Can Do In A Year In The Field." While I have no desire to denigrate the way things have been done previously, it is that same sentiment - that diligent analysis and research can provide greater impact than brute force – which defines the necessity an evolution in risk analysis. Q, across decades, and franchises reminds us that it’s time to move from traditional approaches to new, Quantitative analyses which yield definitive understanding of financial impact and provide actionable risk reduction outcomes.

The Qs Call! Are you listening?

Whether you fancy yourself a merry galactic prankster, a technology innovator, a cyber risk analyst, or a cyber security leader, we invite you to join the ranks of the other Qs and add some Q to your cyber-risk posture in the form of quantification. 

Which path will you select  for "Adding the Q"

  • Create a Cyber Risk Quantification capability: Helping your organization operationalize continuous risk tolerance, appetite and materiality discussions

  • Evolve ERM to ERMQ: Business-centric version of NIST 8286 and ISO 22301:2019

  • TPRMQ 2.0: Evolve from Audit to Inside out Joint Risk Analysis 

  • Insider RisQ: financial impact determination of lost trade secrets, and customer/prospect lists

There’s also smaller qs

  • Adding in financial impact analysis to vulnerability management, threat intelligence, adversarial simulation, data loss prevention.

  • Combining control analysis in light of financial value of critical business services and data sets.

We’re here to help:

Regardless of how you're looking to "Add the Q" CRFQ is ready to help. The common thread across how we approach all of these areas is: increased business context, defensible results and actionable risk reduction recommendations BOTH technical and non-technical always with an eye towards resiliency.

Andrew shea
Next

Eclecticism as a model for building a Security Consulting Practice