Fresenius, a Major Player in Healthcare, Shares Its Experience with Cyber Risk Quantification (CRQ) Using Citalid
A pioneer in cyber risk quantification, Fresenius relied on Citalid to achieve a new level of accuracy and understanding of cyber threats. Discover how this collaboration transformed its strategy and strengthened its leadership in cybersecurity.
As cyber attackers become increasingly ingenious in reaching their targets, Cyber Risk Quantification (CRQ) is becoming an essential discipline for companies looking to adopt a proactive approach to cyber risk management. David Steng, Director of Cyber Strategy & Performance at Fresenius, a major player in the healthcare industry, shares the significant impact that adopting CRQ has had on the group’s cybersecurity strategy, notably through a deep understanding of cyber risk, informed decision-making, and the establishment of effective communication with senior executives.
Fresenius: A Healthcare Giant Facing the Challenges of Cyber Risk
With 175,000 employees and a presence in over 80 countries, Fresenius is a major player in the healthcare sector, with revenues reaching €22.3 billion. Yet only five years ago, cyber risk management was still in its infancy. The group operated as a holding company with four independent divisions, lacking a unified vision of cyber risk, which was then perceived merely as a technical issue.
According to David Steng: “Cyber risks are strategic risks, whose mitigation must be considered in the long term.” This realization led Fresenius to define a Group CISO function and establish a common framework for cyber risk management. The objective: to make risk understandable to all and improve decision-making at the highest level.
The FAIR Methodology: The Starting Point of Fresenius’ CRQ Strategy
As early as 2020, David Steng became interested in the FAIR methodology (Factor Analysis of Information Risk), created by Jack Jones—a quantitative analysis model to better quantify cyber risk from a financial perspective. Based on this methodology, Fresenius was able to implement semi-annual cyber risk reports for each of the group’s divisions. However, this initial quantification approach remained limited.
“Manually, we could develop 10 to 15 risk scenarios, but that wasn’t enough for a group of our size, and this method couldn’t scale due to its subjectivity,” explains David Steng. In fact, each division was responsible for its own quantification, which left room for varying interpretations and results that were difficult to compare.
Fresenius then chose to work with Citalid, a European SaaS solution capable of objectively and scalably quantifying cyber risk financially.
Threat Contextualization: A Comprehensive Approach to Risk Quantification
Citalid stands out particularly for its ability to link risk quantification with Cyber Threat Intelligence (CTI) data, which greatly appealed to Fresenius. “Citalid helps us understand which attackers are interested in our sector thanks to up-to-date cyber threat intelligence data,” says David Steng. This approach not only enables the mapping of risk scenarios but also helps define strategies tailored to the specific threat landscape of Fresenius.
Thanks to actionable dashboards and indicators, the Citalid platform helps Fresenius identify threats, assess their potential financial impact, and measure the maturity of its defensive posture. Rather than using vague terms like “severe risk” or “critical risk,” Citalid assigns figures to the risks. Citalid’s algorithm relies on thousands of simulations to evaluate the company’s defense capabilities against attackers, allowing for an accurate assessment of the defense level relative to the threat.
Tangible Benefits for Fresenius
The implementation of Citalid has yielded significant results for Fresenius, enabling the company to effectively address several challenges:
Threat Anticipation: Thanks to Citalid’s strategic intelligence on attacker groups, their methods, and attack frequencies, Fresenius can accurately anticipate and protect against threats specific to its context.
Optimization of Security Measures: The Citalid platform helps Fresenius determine the most effective risk-reducing controls through a cost-benefit analysis, enabling assessment of the cybersecurity program’s Return on Investment.
Financial Impact Quantification: Using data on potential losses and simulations, Fresenius can estimate the costs of an incident should a risk materialize.
Security Recommendations: The platform runs “Red Team” attack simulations to test the organization’s resilience to attacks. Citalid then provides tailored security recommendations to reduce risk accordingly.
Data Comparability and Objectivity: Citalid reduces subjectivity in analysis by applying unified standards, enabling the generation of indicators and comparison across Fresenius’ divisions.
David Steng highlights another essential advantage: “With Citalid, maturity level analysis is fairly easy to conduct. We used the CIS framework, but others are available like NIST or ISO.” This flexibility and compatibility with various security standards ease the solution’s adoption within companies, thanks to the multiple frameworks supported by the platform.
Proactive Risk Management and Strengthened Dialogue with Fresenius Leadership
The cyber risk quantification approach adopted by Fresenius using Citalid has not only improved risk understanding within the organization but also enabled the establishment of a common language between cybersecurity experts and financial decision-makers.
David Steng confirms that this approach has facilitated strategic discussions with leadership: “Quantification allows executives to define their risk appetite.” This shared understanding now enables Fresenius’ leaders to incorporate cyber risk into their budget decisions and strategic planning.
Citalid is a tool that drives action. “We realized that by applying Citalid’s approach, we spent less time trying to understand our risks and more time managing them,” explains David Steng. Citalid has thus enabled Fresenius to shift to a proactive approach, where each division of the group is capable of anticipating, assessing, and prioritizing its cybersecurity initiatives.
A Sustainable and Evolving Vision of Risk Management
Fresenius’ experience demonstrates that proactive cyber risk management cannot be limited to qualitative assessments or generic tools. By partnering with Citalid, the group pushed the boundaries of risk quantification by combining financial accuracy, threat intelligence, and strategic decision-making. This partnership illustrates the path forward for healthcare organizations—and beyond—seeking to transform cyber risk into a competitive advantage: a deep and contextualized understanding of threats, coupled with the ability to align technical expertise with business vision. For Fresenius, as for other leaders, this approach marks the beginning of a new era in cybersecurity.
