As a follow-up to Isaiah MacGowan's post on the new proposed cybersecurity standards published by the Federal Reserve, OCC, and FDIC, I wanted to dive a bit deeper into one of the enhanced risk management expectations: "establish incident response and cyber resilience capabilities to quickly recover from cyber events".
Within recent years we have seen a mindset shift within information security to focus not solely on prevention, but also on response and recovery. NIST CSF is one of the cyber risk management frameworks that drive that focus.
Improving an organization's incident response and recovery processes sounds like a good idea, but how do we show the value in business terms? Enter Factor Analysis of Information Risk (FAIR):
FAIR is a quantitative risk model that decomposes risk into frequency and magnitude. Improving your incident response processes doesn't change the frequency of cyber events. Rather, it reduces the magnitude of losses associated with those events when they materialize.
Using the RiskLens platform, we can help an organization model key cyber scenarios and quantify their loss exposure in financial terms. Once these current state scenarios are analyzed, we can then version them. In the new versions, we can rapidly adjust the loss magnitude factors to account for improvements in our processes. RiskLens can then take the results of both analyses and compare them side by side, showing the reduction in loss exposure in business-friendly terms.
These results can go along way into gaining the support of the business as well as demonstrating the improvements to your programs for regulators to admire.