In my work as a RiskLens analyst, I’m privileged to be invited by our clients to take a deep look at their risk processes, and to help guide them through some serious thinking on difficult topics, and not just about the risks faced by the company. Implementing RiskLens and the FAIR model also means changing some longtime beliefs about risk analysis and risk management.
I’ve spent many hours listening to CISOs and risk analysts, and watching them interact. The following 3 C’s are my observations that I’d hope will enable CISOs—and analysts—to handle change more effectively.
1. Culture
Depending on the size of your organization, this can be a big beast to tackle. To drive true change, especially within Risk groups, the environment is crucial. Risk analysts want to be heard. They want to feel their work matters and provides value. CISOs should clear time in their schedules just for listening. They should provide analysts with the right tools. Most importantly, analysts want to see that, when they’ve put the effort into a risk scenario, something is going to be done about the risks they’ve identified.
2. Controls
Adding more controls or policies doesn’t always reduce risk. Having a control mindset, although not inherently bad, can be overdone. Adding controls comes at a cost. And every control or policy that gets added to environment does not always have the intended result; it could make an employee’s job more difficult to perform or could add useless work, like a control that tests the steps in another control (yes, I’ve seen that). My caution: Evaluate what you currently have in place to see if it is working or performing the way you intended.
3. Communication
I run into two issues here. First, on communicating about risk: You need a clear and concise set of terms that everyone in the organization understands. Without that common language, common goals and metrics aren’t possible. Second, it is important to be clear on expectations given and to provide helpful feedback. Don’t hide the purpose behind completing a risk analysis; “just do it” doesn’t motivate great work. And don’t ask for an analysis if you’re not prepared to follow up on the results. Nothing frustrates an analyst more than saying “I understand your conclusion but we’re not changing the way we do things.”
Risk quantification (and the FAIR model) can help with the 3 C’s…
I’ve seen some dramatic changes for the good in infosec organizations once they’re empowered with FAIR, and mobilized around a common language, tools and culture.