The Cybersecurity Resilience Quotient: Measuring Security Effectiveness – SecurityWeek

Hi, what are you looking for?
The Cybersecurity Resilience Quotient empowers organizations to assess their security posture comprehensively, considering asset exposure, vulnerabilities, and criticality alongside process and network architecture and disaster recovery plans.

In the ever-changing landscape of cybersecurity, where threats morph, adversaries grow increasingly sophisticated, and new technology is adopted at ever greater speed, organizations are continually challenged to evaluate the effectiveness of their defenses.
Traditional metrics such as the raw number of security incidents, mean time to detect, mean time to respond, or mean time to contain offer only a limited perspective on organizational security posture. What is missing is a holistic and adaptable framework that empowers organizations to dynamically assess and improve their cybersecurity resilience. Enter the Cybersecurity Resilience Quotient (CRQ), an industry-wide metric that does not yet exist!
The CRQ would represent an alternative metric designed to be your comprehensive guide across this digital minefield and to go beyond traditional approaches, considering more than simple asset vulnerabilities. A more dynamic approach must also consider often overlooked or difficult to quantify factors, such as asset exposure, asset criticality, effectiveness of deployed controls, business process vulnerabilities, and architectural defensibility. This multifaceted metric would empower organizations to evaluate, adapt, and enhance their cybersecurity as the environment evolves.
The Cybersecurity Landscape: A Moving Target
Cyber threats are ceaseless, undiscriminating, and constantly adapting. Attackers continuously refine their techniques, seeking the path of least resistance into and through an organization. To safeguard against these agile adversaries, organizations must adopt a multifaceted approach to cybersecurity measurement. It’s not enough to rely solely on the deployment of technology. Instead, a comprehensive strategy is needed—one that measures, adapts, and evolves security effectiveness in real-time.
Deployed technology is in a unique position to collect and supply the required intelligence, and to automate the implementation of a risk-based strategy, but too often these processes run in parallel within organizations, rather than being integrated. Governance, Risk and Compliance often exists in a separate world from cybersecurity. This was confirmed to me recently when I suggested to a crowd of Chief Risk Officers that they indeed are cybersecurity professionals. The shockwave from the vigorous nodding was positively buffeting. There is a synergy here just waiting to be tapped more effectively, or at all.
Introducing the Cybersecurity Resilience Quotient

Advertisement. Scroll to continue reading.

Compliance drives change, but it does not necessarily make you more secure. Bringing the worlds of risk and audit together with controls and remediation adds the missing context to security conversations, to move decision-making from a technical to a business focused perspective. The CRQ is designed as a versatile metric to quantify an organization’s cyber resilience, taking into account various critical factors, and to provide a clear and comprehensive view of an organization’s security posture over time. The CRQ is the “so what” of cybersecurity; here’s how it would work:
Components of the CRQ
Asset Criticality: Recognizing the importance of digital assets is fundamental. What are the consequences to the business if the asset is degraded, compromised or unavailable? The CRQ factors in the criticality of assets to the organization’s operations, ensuring that high-impact assets receive appropriate attention.
Asset Exposure: This focuses on understanding and enumerating the organization’s digital assets, both managed and unmanaged/unknown. This includes data, applications, and systems (IT, OT, IoT, IoMT), and measuring their exposure to potential threats. Which services are running? Is the asset exposed to the internet? Can the asset be directly managed? Is the asset currently compliant? The higher the asset exposure, the greater the risk.
Asset Vulnerability: Identifying vulnerabilities within these assets is the next step. Vulnerabilities can be technical (e.g., unpatched software) or human-related (e.g., suboptimal configuration). Individual vulnerabilities will also have different outcomes and widely varying likelihoods of real-world exploitation. Does successful exploitation of a vulnerability allow an attacker simple access, or full control? Do multiple vulnerabilities exist on a single system that can be chained together for greater effect? Are vulnerabilities present but mitigated by current security controls? The CRQ quantifies the number, severity, and exploitability of these vulnerabilities.
Risk Tolerance: Certain individual assets may be deemed higher-value, more critical, or more sensitive for others (for example, those where a legal requirement exists for compliance, or assets that could cause systemic failure or even risk to life if rendered unavailable). A risk tolerance modifier (RT) takes this into account, ensuring that time-poor vulnerability risk management teams can prioritize most effectively.
Architecture Defensibility: With asset inventory in hand, how well is your organization able to defend its digital assets? Does the topology of your enterprise architecture map to the current communication flows? Where are the short circuits in your communication flows? The CRQ examines the robustness of this architecture, focusing on network segmentation, and user and privileged account management, and assesses your ability to prevent, detect and respond to attacks.
Business Process Vulnerabilities: Cybersecurity isn’t just about technology; it also hinges on the security of business process design. The susceptibility of critical processes to attacks, including social engineering, is a critical measure of organizational resilience. What is the result of a single user giving up a set of credentials to a social engineer? How much oversight is required to sign off on financial transactions targeted by Business Email Compromise attacks?
Incident Response Preparedness: In today’s threat landscape, it’s not a matter of “if” but “when” a security incident will occur. The CRQ should include a template allowing an organization to quantify their incident response capabilities, including detection, containment, business continuity, and disaster recovery.
Applying the CRQ
The Cybersecurity Resilience Quotient is a dynamic metric that can be applied in several ways:
Benchmarking and Insurance: Compare your organization’s CRQ score to industry standards or peers to gauge your competitive position. A lower score may indicate a need for investment or process improvement.
Risk Mitigation: Use the CRQ to identify areas of weakness in your cybersecurity strategy. Allocate resources to address the components with the lowest scores to reduce risk effectively.
Strategic Planning: The CRQ offers valuable insights for long-term strategic planning. It helps you prioritize cybersecurity initiatives and align them with organizational goals.
Continuous Monitoring: Dynamic recalculation of the CRQ to monitor the impact of security improvements and emerging threats allows you to adapt your strategy as the threat landscape and enterprise architecture evolve.
I am old enough to be of that generation in British education where they tried to teach us both imperial and metric systems. This lack of a unified standard hasn’t left me “bilingual.” Rather, it has left me bereft of an effective reference, unable to tell you how big a hectare is or how long a mile is in feet is, let alone to guesstimate the weight of anything. Cybersecurity currently is in a similar place. Without an agreed upon standard to measure risk and resilience, we are unable to make meaningful comparisons or accurately measure progress.
In the digital age, cybersecurity is a fundamental business requirement. The Cybersecurity Resilience Quotient empowers organizations to assess their security posture comprehensively, considering asset exposure, vulnerabilities, and criticality alongside process and network architecture and disaster recovery plans. By employing the CRQ for measurement, analysis, and forward-planning, organizations can build robust defenses against the ever-evolving threat landscape.
Remember, the CRQ is not a one-time assessment, but a dynamic metric. Real-time recalculation ensures your cybersecurity posture remains resilient, effective and aligned with the requirements of the business.
Related: Why Endpoint Resilience Matters

Rik Ferguson is the Vice President of Security Intelligence at Forescout. He is also a Special Advisor to Europol’s European Cyber Crime Centre (EC3), a multi-award-winning producer and writer, and a Fellow of the Royal Society of Arts. Prior to joining Forescout in 2022, Rik served as Vice President Security Research at Trend Micro for 15 years. He holds a Bachelor of Arts degree from the University of Wales and has qualified as a Certified Ethical Hacker (C|EH), Certified Information Systems Security Professional (CISSP) and an Information Systems Security Architecture Professional (ISSAP).
Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.
Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.
Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.
There are key steps every organization should take to leverage threat and event data across the lifecycle of a cyber incident. (Marc Solomon)
By implementing strong security practices,, organizations can significantly reduce the risks associated with lost and stolen computers and safeguard their sensitive information. (Torsten George)
While there is quite a bit of buzz and hype around AI, it is a technology that can add tremendous value to security programs. (Joshua Goldfarb)
Addressing the people problem with effective approaches and tools for users and security practitioners will enable us to work smarter, and force attackers into a position where they must work harder. (Marc Solomon)
The widely believed notion that the network and the cloud are two different and distinct entities is not true. (Matt Wilson)
Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.
The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be…
2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem
Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.
Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make…
Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing…
Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the…
Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.
Got a confidential news tip? We want to hear from you.
Reach a large audience of enterprise cybersecurity professionals
Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox.
Copyright © 2023 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.


Leave a Comment