CXOWARE is now RiskLens | Learn More

Legacy Approaches Fall Short

From a Compliance-based to a Risk-based Approach to Cybersecurity 

Compliance-based approaches to cybersecurity have helped implement a minimum level of security but have failed to protect organizations. In a dynamic threat environment, forward-thinking organizations have come to the conclusion that the goal of total protection is elusive and that a risk-based approach to governance and management of cyber-security is necessary. That is easier said than done, as the way most information security professionals measure risk today fails to quantify cyber-risk in terms the business can understand and use. 

Neither legacy approach provides the business-aligned, risk- and metrics-based approach to cybersecurity required by risk officers of the digital age

GRC Tools

Of the Three Promises of GRC, Most Organizations May Be Realizing Only One: Compliance

Governance, Risk, Compliance (GRC) solutions promised to help organizations more cost-effectively govern their risk landscape, make better informed risk decisions and maintain compliance with standards and regulations.

However, many organizations are, at best, realizing only the compliance objective for the following reasons: 

  • No standard cyber risk model and taxonomy 
  • In absence of a reference risk model, most GRC risk registers are being populated with "risks" that aren't risks, such as control deficiencies that do not represent possible loss events
  • Leads to inaccurate and misleading information
  • Prevents the achievement of making well informed and cost-effective risk mitigation decisions (the "R" in GRC) 
  • Prevents effectively governing the organization's risk landscape ("G")

  • Lack of timeframe estimates
    • Many of the likelihood scales in GRC implementations do not include a timeframe reference 
      • Invalidates any quantitative analysis
      • Ambiguity and inconsistency in likelihood values for risk entries
      • Severely affects the ability to effectively prioritize and report on risk
  • Misaligned likelihood and impact estimates
    • GRC products mostly provide ordinal rating scales (such as 1-5) for likelihood and impact which lead to poor risk estimates
      • Users are forced to choose a value along the continuum vs. applying probability distributions
      • Struggle to maintain the alignment between most-likely, worst case, etc. scenarios for likelihood with the high, medium, low scenarios for impact
      • Leads to information of poor quality
  • Qualitative rating scale definitions
    •  Most qualitative rating scales definitions (high, medium, low, 1, 2, 3, 4, 5) are described in other qualitative terms, so that "high" could mean "significant impact on operations" 
      • Descriptions are very open to interpretation
      • Results in inconsistent ratings 
      • Inability to reliably prioritize risk
  • Multiplying red, yellows and greens
    • Many risk rating systems rely on matrixes where users have to correlate or multiply red, yellow or greens or 3 times 2, where the numbers are based on an ordinal scale
      • Gross approximations
      • Very subjective and error-prone 
      • Leads to Inaccurate assessments and poorly informed decisions

If the "R' in an organization's GRC implementation is bad enough, the organization may be checking compliance boxes, but it may not be addressing the most important gaps first, or optimizing its gap mitigation choices. If this is the case, then the organization may not be fully realizing even the "C' in GRC. 

RiskLens can help you get the 'R' back into GRC. 

Learn More About the RiskLens Applications

The Failure of GRC
GRC Easier Said Than Done

Risk Frameworks

framework-comparison-bluelava

Source: Blue Lava Consulting

They All Tell You That You Need to Quantify Risk, but Leave It Up to You to Figure Out How

Risk Frameworks have been developed by institutions such as NIST, ISO, PCI, ISACA, etc. with the purpose of providing a means for organizations to better manage risk. 

While these frameworks can be useful for identifying basic risk management program elements that are missing or deficient, they are less useful in helping the practitioners determine the explicit significance of those deficiencies, for the following reasons: 

  • Limited or no focus on risk quantification
    • Risk frameworks are being used as reference checklists of best risk management practices 
      • List measurement of risk as a necessity
      • Little or no details on how to quantify risk
      • Up to the practitioners to figure out how
  • Reliance on qualitative scales
    • NIST 800-30 is an attempt to provide a risk measurement method but falls short of the standards for a true risk quantification model
      • Approach relies on qualitative or semi-quantitative scales to measure and combine information related to likelihood and impact of events
      • Results in inconsistent ratings and inability to reliably prioritize risk
  • Flawed definitions
    • The definitions of key factors of the NIST 800-30 model such as threat event likelihood are flawed  
      • Based on qualitative scales that are problematic: they don't rely on time-scales, which leaves data open to interpretation and makes it potentially meaningless
      • Scales are upper-bound so that there is no way to distinguish whether events are occurring once or multiple times

In summary, most of these risk frameworks are less methods for risk analysis and more processes for assessing risk practices. Some are notably silent on the subject of how to compute risk, some are open in the allowance of 3rd party methods, while other are explicitly synergistic. 

An example of that is the combined use of a standard analytical risk model such as FAIR on top of a risk management framework such as NIST CSF that can remove the above mentioned limitations and can help organizations improve the reporting on cybersecurity risk and enable cost-effective decision-making. 

The FAIR Institute recently announced the collaboration between NIST and the FAIR Institute that lead to the publication of a blog series on NIST CSF & FAIR outlining their joint value proposition:  

  • NIST CSF provides a good list of best cybersecurity practices (activities) and a qualitative framework for measuring an organization's level of compliance to those best practices.
  • FAIR adds an economic dimension to NIST CSF assessments by quantifying cybersecurity risk in financial terms, dollars and cents.

Discover Our RiskLens Applications

Spreadsheets

Ditch the Monster Spreadsheet and Get a Seat at the Business Table

Some organizations have adopted FAIR, the only standard quantitative model for cybersecurity and operational risk, as their enterprise risk model and have attempted to build their own risk quantification routines in general purpose tools. 

While they rely on a proven risk model that was purpose-built to support risk quantification, they typically encounter the following challenges: 

  • Spreadsheets are static and labor-intensive
    • Turning a general purpose tool into specialized enterprise cyber risk analysis and quantification solutions is a hugely expensive endeavor
      • Thousands of rows, hundreds of formulas and worksheets to maintain
      • Manual data collection and normalization
      • Copy and paste mistakes introduce formula errors
  • Business Intelligence tools are rigid and expensive
    •  Costly to build with even small changes requiring a big effort
      • Dedicated data scientists are expensive
      • BI experts already spoken-for on projects for BUs
      • Often rely on inaccurate estimates versus actuals
  • Build-it-yourself: figuring it out as you go
    •  Seems feasible but grows unwieldy, and inventing your own risk quantification solution overlooks the wisdom of others
      • High risk of failure due to lack of multi-disciplinary expertise (cyber, risk, math, finance)
      • Miss out on learning from peers and industry thought leaders
      • Often grow into never-ending “science projects”

Most of these efforts will at best result in the analysis and quantification of single risk scenarios, will not incorporate the level of analytics and processing power required for enterprise-level risk analysis, and will not leverage the embedded risk knowledge and industry loss data of a wide user community.  

Discover Our RiskLens Applications

Ditch the Monster Spreadsheet

RiskLens systematically addresses the limitation of these legacy approaches to cyber risk quantification and has become the solution of choice for many organizations like yours.

Next: Why Choose RiskLens?