Far too often in business, assessing the maturity of a company’s risk management practices can lead to misleading results, as highlighted by Jack Jones in a prior blog post.
RiskLens' Cyber Risk Maturity (CRM) is an application that removes the gray and allows your organization to step into the light of day and truly see its strengths as well as its weaknesses. With this one-of-a-kind risk management maturity model, you can see where weaknesses lie, analyze them and run forecasting scenarios to create a roadmap for your company’s success.
How is this more objective?
Any scientist will tell you, complete objectivity is nearly impossible – we are human, after all. Currently, most security maturity models lead you to conduct analyses based on answering Yes/No or to assign a 1-5 score to a very large number of questions, where the scoring is highly subjective and the results are very difficult to interpret. As an example, you may answer 'Yes' to a question asking if your company has formal authentication processes, but no consideration is given to how these are being implemented and enforced. In some cases, the answer might have to be closer to a 'No' than a 'Yes', but those models do not capture that. When ordinal scales like 1-5 are used, very often the descriptions for each score are quite ambiguous. This can lead to situations where my score on a given component may be a four whereas your score on the same component would be a two. The only value that you may get out of those assessments might be stating that we completed an assessment.
In contrast, RiskLens CRM poses a manageable number of questions that go beyond just security controls to include risk management and threat intelligence practices. The answers are in the form of multiple choice descriptions that are unambiguous and that are accompanied with confidence levels and rationale fields. This allows for easier interpretation, consistency and repetition.
Multiple Choice Example
What will the resulting reports tell me?
The summary reports will give you an accurate visualization of your company’s risk maturity and allow you to identify true strengths and weaknesses. Bear in mind that the underlying risk management maturity model is a Bayesian network that does not look at components in isolation, one by one, but looks at how how each component influences the others to provide a holistic risk management picture. As such, a weak foundation will result in a weak overall score.
Example of summary scores related to control conditions
How can I create a plan with this information?
Armed with a list of areas of improvement, you can then conduct a cost-benefit analysis of implementing change within each area of weakness, using a sister application called Cyber Risk Quantification. This will give you a prioritized roadmap of short and long term improvement objectives.
You can then re-run your assessment by analyzing the effect of planned improvements in your risk management practices on the overall maturity scores.
How is this valuable to me and my company?
Using RiskLens CRM to conduct risk management maturity analyses for both current and desired state will allow you to strengthen your reports and proposals. Showing the results of your reasonable and attainable goals will allow decision makers to make better informed decisions.