[ Originally published on Medium.com June 3, 2023. ]

Interviews, risk matrices, and slide decks will be out; automated data ingest, loss exceedance curves, and web apps will be in

The Writing is on the Wall

The consulting delivery recipe has long stood the test of time. Gather information, often through interviews, synthesize and analyze that information, and then deliver the results in a slide deck. Analysis ‒ the kind that uses numbers and math ‒ would be done using bespoke code and would produce charts for the deck to help tell the story. When I started in consulting in 2013, that was the model. I was in a heavily mathematical group, where advanced analytics were our specialty, and, still, our results always got boiled down to charts in slides. By 2018, that old way of doing things was well on its way out. Clients (largely government, but also private sector) wanted working prototype MVPs, proofs-of-concept, live demos, web apps, and the like. Massive DoD proposals went from hundred-page volumes to 20-page documents, accompanied by day-long demonstrations.

If we look at cyber risk consulting, it is still using the old model. That is not surprising. Cyber risk is still a relatively new field, so you start with what you know and what has always worked — that classic recipe. But, if history is a guide, and we consider the migration of other fields away from static slide decks in favor of dynamic and engaging deliverables, the world of cyber risk consulting is in for some big changes. These changes will be (and are being) fueled, in large part, by the trend to more quantitative approaches to cyber risk, i.e., cyber risk quantification, or CRQ.

This transformation is already underway when it comes to risk assessment via compliance. Between government agencies, insurers, and others starting to require organizations meet certain cybersecurity standards and the proliferation of cyberattacks, companies, young and old, are getting into the compliance game. There are dozens. And they are doing it with software, with web-based applications, with software-as-a-service (SaaS) platforms. They’re doing it with API-driven data integrations. In other words, they are not doing it with interviews and slide decks.

The Dawn of Cyber Risk Quantification is Upon Us

While the compliance space is already crowded, with everyone looking to rise above the noise, the analysis of true cyber risk — in other words, the probabilistic estimation of cyber risk in dollars and cents — is still in its infancy. The familiar red-yellow-green yard stick and 5×5 Likert-based risk matrix are, in some sense, still state-of-the-art. Not because we can’t do better, but because stakeholders are not ready for what replaces these antiquated “measures” of risk. To their credit, many organizations recognize that their existing approaches to cyber risk management are falling short — they are often, by necessity, compliance-based as already noted. Further, they are largely subjective and qualitative. Yet, compliance does not translate to risk management, nor does it translate to security. It is no wonder that Boards of Directors, CEOs, and CISOs — along with their government counterparts — are struggling to find better ways to measure, manage, and report cyber risk. Decision-makers feel helpless, awash in a sea of questions: “What is my risk?”, “How do I frame risk in $?”, “What do I do next?”, and “How do I pay for it?” Add to those, the sticky question of, “How much cyber insurance do we need?” These sorts of questions do not get answered by compliance assessments. To answer these questions, one needs the sophistication and fidelity of no-kidding cyber risk models — one needs CRQ.

Cybersecurity insurance is a great example. The demand for cyber insurance coverage is skyrocketing. At the same time, insurance providers’ losses are growing. High demand, in combination with high payouts, is leading to increased premiums. Businesses report premium hikes of 50% and even 100% year over year.^[1] Thus, on one hand, insureds are wondering, “Do I have enough insurance?” and insurers are wondering, “Are my estimates of cyber risks accurate? Will we get burned?” CRQ will be a mechanism that answers both questions. It will also be the answer when clients want to know what is driving their cyber risk, where to invest their cybersecurity dollars, what their return on security investment is, and how do they optimize their cybersecurity efforts. The insights clients will soon be expecting go way beyond what the current consulting recipe can deliver. To remain competitive in the cyber risk consulting space, one must embrace this new cyber order, and whoever gets to the front of this still very nascent and fluid CRQ space is looking at $billions in total addressable market. Those that lag, will be in trouble.

Invasion of the Quants, Part 0b10? ^[2]

Taking a stroll down memory lane, recall the quant boom of the 1980s, when investment firms started attracting experts in mathematics, physics, and computer science who brought sophisticated quantitative approaches to the world of Wall Street. Despite the “quant crisis” of 2007, the quants were, and are, on Wall Street to stay. “As long as there’s data and money, there will be quants.”^[3] That quote, from 2010, is as true today as it was then. As financial markets have continued to become more data-driven, with high-frequency trading, and exchanges made by the millisecond, the legacy of the quant revolution remains.

Financial trading is all about risk. How do I maximize my expected profit while minimizing my expected loss. By taking advantage of advances in computing and easier access to market data, the pioneering Wall Street quants brought their mathematical wizardry to bear on a field ripe for the taking. Intuition and subjective portfolio management were no match for data-driven, analytical, and scalable approaches that knew few bounds.

If the quants could revolutionize Wall Street, might cyber risk be in store for the same? CRQ has the word quant right in it! And it’s all just risk at the end of the day, so what’s to stop such a paradigm shift in cyber risk? If, “As long as there’s data and money, there will be quants,” is true, I think we have our answer. And if that’s the future of cyber risk, then consultancies must get smart on how to find, recruit, and hire quantitative experts that can apply their expertise to the challenges of cyber risk. For better or worse, the cadre of traditional cybersecurity consultants that make up the contemporary cyber risk delivery team may soon be outnumbered by geeky PhDs who speak in tongues (it’s really just math) and produce the impactful insights that will become the new state-of-the-art. Such a shift is a necessary one. It is necessary because, like so much else, cyber risk is becoming more data-driven, more analytical, more automated, and less subjective. And like so much else, companies will turn to a new type of workforce to be a part of that shift.

Welcome the future of cyber risk consulting — it’s going to be an exciting time!

[1] https://www.netatwork.com/why-cyber-liability-insurance-coverage-just-got-harder-to-get/, accessed 24 May 2023.

[2] 0b10 is the binary form of the number 2.

[3] David Leinweber, (2010), author of “Nerds on Wall Street” and founding director of the Center for Innovative Financial Technology at UC Berkeley.