Cyber Risk Quantification
October 13, 2023
In this episode, Jeff Edwards and Tawana Johnson from the Safe House Initiative podcast are joined by Steven Schwartz, Chief Insurance Officer at Safe Security, to kick off their cyber insurance summer series. Steven emphasizes that cyber risk quantification (CRQ) is essential for making informed decisions about cyber insurance.
He explains that CRQ translates technical cybersecurity metrics into business-relevant financial terms, moving beyond inaccurate methods like basing limits on revenue. Every organization has a unique risk profile, making a data-driven approach crucial for balancing risk mitigation, transfer, and acceptance.
Steven highlights the FAIR Institute’s methodology as the global standard for CRQ, stressing the need to understand asset values and the business context, including often-overlooked business interruption risks. For practical CRQ, he suggests starting with basic metrics like sensitive data volume and revenue, using public breach cost data to estimate potential losses.
The conversation also covers common overlooked risks, such as third-party vendor vulnerabilities and social engineering, with the human element remaining the weakest link, now amplified by AI tool usage. Steven then introduces emerging security warranties as alternatives to traditional insurance, offering faster payouts embedded within cybersecurity products. He also discusses how insurtech MGAs are simplifying cyber insurance for SMBs, providing quick, affordable policies and incident response services.
Steven concludes by advising security leaders to quantify cyber risk in financial terms to better communicate with executives and boards, enabling smarter decisions and stronger cybersecurity.
Key Takeaways:
#CyberInsurance #CyberRisk #Cybersecurity #RiskManagement #CRQ #SafeSecurity #Podcast #TechTalk #DataSecurity #BusinessInterruption #FAIRMethodology #Cybercrime #Insurtech #SMBsecurity #RiskQuantification #StevenSchwarz #SafeHouseInitiative
Federal cybersecurity responsibility has shifted to the states. What happens next?
In this episode of The SafeHouse Podcast, Jeff Edwards welcomes James Saunders, Chief Information Security Officer for the State of Maryland, for a deep conversation on state-level cybersecurity, resilience, and leadership.
James walks through his path from early technical support roles to federal cybersecurity leadership and now to protecting Maryland’s digital ecosystem. He explains Maryland’s IT Master Plan, the state’s five-pillar cybersecurity strategy, and how partnerships, talent, and resilience come together in practice.
This episode offers a behind-the-scenes look at how cybersecurity decisions are made at scale, how states collaborate with one another, and why taking care of people matters as much as taking care of systems.
Kirsten Bay, CEO and co-founder of Cysurance, explains why warranties are becoming a critical layer in cyber risk management. Bay explains how AI-driven cyber certification can help organizations predict where risk is most likely to surface, prevent disruption before it becomes a claim, and protect both insureds and carriers by creating clear, defensible signals of cyber maturity.
Ryan Ettridge, CEO of CyberCert, tackles a problem many organizations struggle with – cybersecurity frameworks that look good on paper but feel overwhelming or unusable in practice.
Ryan explains how AI-driven cyber certification can help organizations predict where risk is most likely to surface, prevent disruption before it becomes a claim, and protect both insureds and carriers by creating clear, defensible signals of cyber maturity.
Chart a clear path from path from compliance to real-world readiness with fundamentals covered in this episode.
Charlotte Hooper, Co-Founder and Head of Operations at The Cyber Helpline, shares how a deeply personal experience with cyberstalking led her from policing into building one of the most practical cyber victim support models in operation today.
Keith Gologorsky, Head of Public Sector at Hack the Box, shares his personal journey from computer science graduate to government analyst, recounting pivotal moments in military operations, threat analysis, and international collaboration. The discussion explores the limitations of traditional certifications, the importance of hands-on training, and the need for regularly updated, gamified learning experiences. Keith also addresses the cybersecurity skills gap, the evolving role of AI, and offers actionable advice for organizations of all sizes: prioritize cross-training and real-world practice to build resilient teams.
Sarah Flukes, CTO at Admeritia, explains cyber decision diagrams that capture how OT/ICS environments actually operate. This podcast covers origins in water utilities, why function modeling beats asset lists, cognitive effectiveness, and how these diagrams power risk assessments, incident response, and security-by-design.
