“Cyber Risk Management” and “Cybersecurity” are not interchangeable terms. Rather, these terms describe separate yet related functions within an organization.
Cyber risk management establishes the foundation by which cybersecurity measures can be optimally selected, implemented, and maintained to reduce estimated financial loss potential of cyberattacks.
Today, however, may organizations have not yet established a sound practice of cyber risk management. Year over year, many companies funnel increasing amounts of budget, time, resources, and technologies into cybersecurity. If pressed for a defensible measurement of the efficacy of these cybersecurity investments, the response is typically vague, fraught with subjectivity, and insufficiently substantiated.
One cannot defend cybersecurity investments without first quantifying cyber risk – and quantifying it properly, complete with a translation into financial terms.