The Story of CRFQ
Failure to Communicate
I started this business a little over a year ago because I kept running headlong into the same problem. In my (going on three) decades of work in cyber security and risk, every program runs into an inevitability at the senior-leadership level.
The Problem: No one Is on the Same Page
Cyber security and risk management are challenging. The analysts, engineers and operators that work in our field are hard working, under-resourced, underappreciated and outgunned. Chief Security Officers have an insurmountably vast set of interdependent business, regulatory and technical domains to manage. They are asked to do this under tremendous stress while working untold hours with responsibility for operating 30-120 different tools. Getting out of response mode is rarely in the cards. Suffice it to say; it’s a tough job and getting the resources to do it isn’t getting any easier.
Early last year, after a young public company suffered back to back financial quarters with losses, the board and CEO decided to reduce the risk and security team by 70% to save costs. This left the CISO in an untenable position. The CISO and what remained of the team had to put all critical projects on hold - including extending MFA from two to twelve applications - as they were all forced into fire fighting mode. They all had to pull together to just monitor and respond to high severity alerts from their security tools. Five big steps backward and no path forward toward success.
In previous roles, I kept hearing some form of the following statements from the security practitioners I have had the good fortune to work with: “Sorry Andrew that didn’t get approved” or “our budget is being reduced again.” Conversely in my conversations with the finance side of the house I kept hearing “Your business case doesn’t provide enough financial justification to support <insert_program_here>.”
I hope the problem has become self-evident at this point; top-level leaders aren’t singing from the same hymnal.
The Solution: Become The Translator
With my deep experience in both security and finance, I realized that I can provide a vital service to business leaders; translating what can feel abstract outside of the security organization (cyber-risk) into the language of modern business – dollars and cents.)
To do this we need to move past the traditional methods for accomplishing this goal. Static qualitative frameworks based on point-in-time assessments cannot communicate what they need to. The outputs of these analyses–subjective CMM qualitative ratings (eg. high, medium, or low), one dimensional 3 X 3 heat maps or mitigation requests not based on financial analysis–do not provide the needed specificity required by business leaders to address the break neck speed of change. The only thing that can do that is quantification.
How We do that
There are a number of frameworks for assigning hard numbers to cyber-risk however too few organizations have adopted them due to a myriad excuses: “it’s too hard,” the data is “unavailable,” or my favorite “my business peers won’t interact with me.”
Breaking down those barriers is why I started this business. I am an excellent, effective, and effervescent wrecking ball.
Security leaders need the firm ground to stand on which quantification can provide. Financial leaders need an understanding of the true cost of risk which (again) can only become clear by defining an agreed-upon number. Once we have that baseline, then we can work together to operationalize a security program that meaningfully addresses new risks on the horizon in the form of AI, Third Party Risk and Insider Risk. I firmly believe that the only way to accomplish any of that is by getting everyone on the same page.
That’s where I thrive; being the connective tissue between organizations and the bottom line is where I have chosen to build my business. Our work is to:
drive engagement between business and technical leaders
gain greater visibility to the risk stemming from third parties
use methodologies and tools that measure risk which are or drive quantitative analysis,
creation and aggregation of internal empirical data sets for data loss and likelihood,
utilizing Generative AI and
encouraging and facilitating aggressive engagement with cyber-insurers and federal law enforcement agencies
If any of that sounds like something your business could benefit from; let’s talk. I know we can help.