Your questions answered about the data, people and time required to launch a cyber risk quantification program that reports results in financial terms.
1. Do I have enough data to do effective cyber risk quantification?
This is a very common question customers ask while evaluating FAIR and RiskLens. The basis for these concerns often revolve around data quantity and/or quality because people want as little uncertainty as possible in their risk measurements.
Additionally, this reduces the effects of human subjectivity found in qualitative reporting, because uncertainty in your data can be faithfully reflected through ranges and distributions.
In learning FAIR - the model now trusted by more than 3,000 leading thinkers in risk and security - one foundational principle that is hugely helpful is the simple concept of calibrated estimation outlined by Douglas Hubbard in his book How To Measure Anything. Calibrated estimation is the technique that allows FAIR practitioners to quickly arrive at accurate ranges for data inputs.
The fact is that organizations tend to have more data than they think they have, and actually need less data than they think in order to operationalize FAIR. As RiskLens Cyber Risk Scientist Isaiah McGowan, outlines in his blog post on data for quantitative analysis, FAIR provides much greater utility than qualitative techniques even when leveraging much of the same data, by using a probabilistic model to show potential loss exposure as a range of quantified values.
2. Is my organization mature enough to adopt FAIR?
Successful adoption of the FAIR model has absolutely nothing to do with an organization’s size, industry, or status on a risk maturity model. We've worked with some of the largest organizations with very sophisticated security and risk management teams to build a FAIR based program. And we've worked with smaller companies with little to no risk management program who are looking to build a risk team with FAIR as a foundational principle.
Contrary to common beliefs (or fears), there are only two prerequisites to effectively adopting FAIR within an organization:
At least one clear and specific reason for building a quantitative program.
This can also be seen as the "why?" or challenge you're trying to solve.
Examples might include:
- Inability to confidently identify their top risks
- Inability to measure and clearly communicate the cost/benefit proposition of cyber security and technology risk management efforts
- Difficulty communicating about risk with executive stakeholders
- Unproductive religious debates (internally, and perhaps with external stakeholders) about whether something represents high/medium/low risk
Critical thinking skills.
There's no question that the cybersecurity risk management field is full of brilliant individuals who excel at various areas within the cyber risk landscape - controls assessments, auditing, forensics, secure app development, etc. - but that doesn't inherently qualify someone as a strong risk analyst. Critical thinkers need to be able to decompose complex conditions into bite-sized chunks, view a problem from multiple perspectives, honestly question themselves, and accept the fact that uncertainty is always present.
In order for an organization to effectively adopt FAIR, they need to identify their strongest critical thinkers and ensure they're the individuals involved in risk measurement. We have witnessed organizations fail at adopting FAIR simply because they assigned people to the FAIR effort who weren’t qualified in this regard.
Learn about FAIR training through the RiskLens Academy, including self-paced online training.
3. What's the level of effort required to operationalize FAIR/RiskLens? What's the time to value?
Building a cyber risk quantification program is more intensive than traditional qualitative reporting, but organizations that define clear objectives and timelines will begin seeing value within a matter of weeks. The typical onboarding process for a new RiskLens customers is 2-3 weeks. Once the tool is calibrated, customers can begin a series of tactical or strategic projects to get the program off the ground.
Tactical analysis examples:
- A comparative cost-benefit analysis of improved or additional controls for an upcoming project under consideration
- A workshop aimed at identifying the top risks for more in depth quantitative analysis
Strategic analysis examples:
- Comprehensive analysis of an organization's top 10 risks for Board reporting
- Analysis of top projects for budget justification
Tactical risk analyses typically provide quick results in days/weeks, while more complex strategic risk analyses can be completed in weeks/months. Deep adoption across an organization happens when RiskLens analyses are embedded within key processes. An organizational openness to quantified reporting led by a dedicated group of educated and determined champions can greatly expedite the time to value.
Adopting cyber risk quantification? You're in good company. Take for example McAfee and consider:
3,000 IT risk analysts and cybersecurity managers have joined the FAIR Institute, which promotes education on the FAIR model.
Gartner endorses risk quantification as one of the five pillars of cybersecurity risk management.
The SEC and other regulators are directing companies to disclose probable cyber risk in financial terms.