RiskLens is the leading provider of cyber risk management software. RiskLens helps Business Executives, Risk Officers, and CISOs manage cyber risk from the business perspective by quantifying cyber risk in dollars and cents.
Forward-thinking organizations leverage RiskLens as their system of record for cyber risk for understanding their cyber risk exposure, prioritizing their risk mitigations, measuring the ROI of their security investments and optimizing their cyber insurance policies.
RiskLens is the only cyber risk management software purpose-built on FAIR, the only international standard Value at Risk (VaR) model for cybersecurity and operational risk.
How It All Started
Two questions and two lame answers. Those were the catalyst in 2001 for developing FAIR. At the time, I was the newly minted CISO for Nationwide Insurance, and I was presenting my proposed security strategy to senior executives in hopes of getting additional funding. One of the executives listened politely to what I had to say, and asked two "simple" questions:
- How much risk do we have?
- How much less risk will we have if we spend the millions of dollars you're asking for?
If he had asked me to talk more about the "vulnerabilities" we had or the threats we faced, I could have talked all day. Unfortunately (or, I guess, fortunately), he didn't. He wanted to understand what he was going to get in return for his money. To his first question, I answered, "Lots." To his second question, "Less." Both of my answers were accompanied by a shrug of my shoulders - tacit admission that I didn't have a leg to stand on (he knew when he asked the questions that I wouldn't have a useful answer). The good news was I got most of the money I was asking for, apparently out of blind faith. The even better news was I left the meeting determined to find a defensible answer to those questions.
When I began working on FAIR, I had absolutely no idea that an international standards consortium like The Open Group would adopt it as a standard, that people would be building software to imlement it, or that organizations would pay to have their people trained in it. Nor had the idea of a book crossed my mind. It also never crossed my mind that what I was developing could be used to evalute other forms of risk beyond information risk. All I wanted was to never have to shrug my shoulders and mutter lame responses to those questions again. This, I have accomplished.
Excerpt from the Preface by Jack Jones, co-founder and EVP R&D of RiskLens, to the book "Measuring and Managing Information Risk: a FAIR approach"