Your questions answered about the data, people and time required to launch a cyber risk quantification program that reports results in financial terms.
Adopting cyber risk quantification? You're in good company. Take for example McAfee and consider: 6,000 IT risk analysts and cybersecurity managers have joined the FAIR Institute, which promotes education on the FAIR model. Gartner endorses risk quantification as one of the five pillars of cybersecurity risk management. The SEC and other regulators are directing companies to disclose probable cyber risk in financial terms.
1. Do I have enough data to do effective cyber risk quantification?
This is a very common question customers ask while evaluating FAIR and RiskLens. The basis for these concerns often revolve around data quantity and/or quality because people want as little uncertainty as possible in their risk measurements. With quantitative analyses, there are well-established methods like PERT distributions, Monte Carlo simulations, and calibrated estimation techniques that help account for sparse and uncertain data. Additionally, this reduces the effects of human subjectivity found in qualitative reporting, because uncertainty in your data can be faithfully reflected through ranges and distributions. In learning FAIR - the model now trusted by more than 3,000 leading thinkers in risk and security - one foundational principle that is hugely helpful is the simple concept of calibrated estimation outlined by Douglas Hubbard in his book How To Measure Anything. Calibrated estimation is the technique that allows FAIR practitioners to quickly arrive at accurate ranges for data inputs. The fact is that organizations tend to have more data than they think they have, and actually need less data than they think in order to operationalize FAIR. As RiskLens Cyber Risk Scientist Isaiah McGowan, outlines in his blog post on data for quantitative analysis, FAIR provides much greater utility than qualitative techniques even when leveraging much of the same data, by using a probabilistic model to show potential loss exposure as a range of quantified values.2. Is my organization mature enough to adopt FAIR?
Successful adoption of the FAIR model has absolutely nothing to do with an organization’s size, industry, or status on a risk maturity model. We've worked with some of the largest organizations with very sophisticated security and risk management teams to build a FAIR based program. And we've worked with smaller companies with little to no risk management program who are looking to build a risk team with FAIR as a foundational principle. Contrary to common beliefs (or fears), there are only two prerequisites to effectively adopting FAIR within an organization: At least one clear and specific reason for building a quantitative program. This can also be seen as the "why?" or challenge you're trying to solve. Examples might include:- Inability to confidently identify their top risks
- Inability to measure and clearly communicate the cost/benefit proposition of cyber security and technology risk management efforts
- Difficulty communicating about risk with executive stakeholders
- Unproductive religious debates (internally, and perhaps with external stakeholders) about whether something represents high/medium/low risk
3. What's the level of effort required to operationalize FAIR/RiskLens? What's the time to value?
Building a cyber risk quantification program is more intensive than traditional qualitative reporting, but organizations that define clear objectives and timelines will begin seeing value within a matter of weeks. The typical onboarding process for a new RiskLens customers is 2-3 weeks. Once the tool is calibrated, customers can begin a series of tactical or strategic projects to get the program off the ground. Tactical analysis examples:- A comparative cost-benefit analysis of improved or additional controls for an upcoming project under consideration
- A workshop aimed at identifying the top risks for more in depth quantitative analysis
- Comprehensive analysis of an organization's top 10 risks for Board reporting
- Analysis of top projects for budget justification
Adopting cyber risk quantification? You're in good company. Take for example McAfee and consider: 6,000 IT risk analysts and cybersecurity managers have joined the FAIR Institute, which promotes education on the FAIR model. Gartner endorses risk quantification as one of the five pillars of cybersecurity risk management. The SEC and other regulators are directing companies to disclose probable cyber risk in financial terms.