How to Understand QUANTITATIVE and QUALITATIVE Analysis in Cybersecurity

On today’s episode, Dr. Eric Cole explains the difference between qualitative and quantitative analysis.

As a CISO, you have to speak to executives in a language that they understand, so you can budget your time and your company’s money in a sensible way. In order to do this, you have to do quantitative and qualitative analysis of your network.

Watch this episode to learn when you need to go in depth, and when you need to just do a quick check of your data so that you can begin speaking the executive language. 

In this episode:

  • 0:06 Welcome
  • 0:55 Question 1: How to create your own security framework
  • 4:11 Look at why breaches are happening
  • 5:04 Example of a framework
  • 5:45 The flaw with encryption
  • 8:08 Question 2: testing
  • 9:30 Change control should trigger testing
  • 10:30 the way a CISO performs risk assessment across a system
  • 11:05 This is what quantitative analysis is
  • 11:45 There are rare situations where it’s better to accept a risk and not fix a vulnerability 13:13 Qualitative and quantitative models
  • 14:48 A great way to waste a ton of time
  • 15:52 What do you want to really know?
  • 16:08 Qualitative analysis
  • 17:05 A caveat
  • 18:47 How to do both qualitative and quantitative analysis
  • 19:48 Don’t get caught up in granularity. Worry about orders of magnitude.
  • 21:34 Recommend less than the totality of a list to the executive
  • 22:55 How to negotiate for a budget with the executive in mind
  • 24:10 Why my budgeting negotiation works
  • 25:51 The first problem with communicating with executives
  • 27:14 If the person you’re talking to picks up their phone….ABORT!
  • 27:44 Security with budget in mind
  • 29:09 Wrap up