Ivan Milenkovich, vice president of cyber risk technology in EMEA at Qualys, said data from the CMC has the potential to allow IT security professionals to make better risk assessments — but only providing it is used correctly.
“By introducing a standardised cyber event categorisation system, the CMC is addressing a critical gap: the lack of consistent, large-scale data to support cyber risk quantification (CRQ),” Milenkovich said. “This means security teams will finally have access to reliable, aggregated information that can inform risk assessments, threat modelling, and decision-making.”
By introducing standardised cyber event categorisation, the CMC is laying the foundation for a more structured and measurable approach to cyber risk. However cyber risk professionals will still need to integrate the CMC’s risk assessments with their own internal data to factor in their organisation’s specific industry, infrastructure, and threat profile, according to Milenkovich.