A few years ago I founded a business that measured cyber risk based on the factors that the insurance markets considered the most meaningful, but also ones that could actually be measured and acted upon. It was very difficult to get enterprises to adopt this, or indeed any risk framework largely because of the amount of work required to gather data (mostly questionnaire based). Now we have automated tools that allow building of threat models, identifying presence and status of information assets, and creating actionable reports; it’s time for all organisations to have a formal risk management program. It doesn’t have to be fancy as this article points out…:
[…] Given that cyber risk quantification models are still in their infancy, CISO’s need to focus on taking meaningful measurements that help senior leadership make the most informed decisions. Whether NIST 800-30, FAIR, or a simply three-by-three matrix, starting is the most important step. When selecting a framework to build a risk management program around, though, it is most important to be able to justify and explain the process behind the framework. The best answer, for now, is one that allows your organization to begin analyzing information risk in the most transparent way possible and delivering those risk scenarios to senior-level stakeholders.