With the purchase of RiskLens, customers often ask “what’s the best way to get started?” The answer to that is often one of these approaches:
- Top-down: Quantify the top risks of your organization and actively monitor mitigation progress.
- Bottom-up: Assuming a risk register exists, start by normalizing and then quantifying these items allowing for effective prioritization and improved visibility of organizational impact.
- Ad-hoc: Quantify the ROI of specific IT projects by showing risk reduction in financial terms.
Which route to choose, depends on who’s asking for the information.
But… what if no one is asking? Or, more realistically, what if the people you want to help couldn’t give two hoots about what you have to offer, namely, identifying and quantifying their business unit’s risk?
It's a part of the start-up process we see often. What's the best way to spark the change to a new way of risk measurement and management? As I was reminiscing about various frameworks and flipping through documentation on COBIT, PMBOK and PRINCE2, a couple of core themes came to mind regarding implementation success of any new system or method.
Perhaps focusing on any one of these areas can help a struggling IT Risk Management team to get its due attention:
Do you have a business sponsor?
Find a business need or driver: RiskLens was procured because IT Risk Management identified a better way to measure, analyze, and recommend cost effective risk mitigation. However, without a business sponsor and driver an organizational effort will likely fall flat.
How can IT Risk Management get a business unit behind the effort? Which business unit cares about making better informed decisions about cost effective risk mitigation?
While business units understand their operational risks, there's a good chance they haven't thought about the cyber risks of the systems that drive their processes. In today's technology-driven world, that's a noteworthy miss and technology-savvy business representatives understand the gap.
So keep it simple and start with your peers that have indicated an understanding of cyber risk and/or an interest in your efforts.
- Identifying, defining, and ultimately quantifying a cyber risk using FAIR takes a certain amount of IT and risk knowledge, education on the process and collaboration in getting data -- better to work with someone who isn't starting from ground zero. Even if those business units aren’t involved in the key enterprise initiatives, business value can still be demonstrated and that internal value can be more easily grasped by others inside the organization. One starting point with a business unit might be an analysis of current compliance efforts: Are they worth it in risk reduction for the time and money the unit puts into them?
Does your company have a risk aware culture?
If the business isn’t driving the initiative, it is likely the organization does not yet have a culture of cyber risk management. That’s the board’s and executive leadership’s problem. How can they be influenced to take an interest in quantifying cyber risk?
Quantifying cyber risk provides a far more effective and rigorous process, resulting in improved information for stakeholders. Proving that, and getting people to trust the new approach and ultimately buying in, especially at the upper echelons, may take time. While culture change is a formidable challenge, it is a more efficient process when it is fully supported and driven from the top.
To help get leadership's attention, show off your new quantification model and application to your friends in Enterprise Risk.
- Risk professionals will be able to comprehend your goals and more easily digest the FAIR process. If Enterprise Risk reports are already respected at the board level and they buy in to cyber risk quantification (and they will), it shouldn’t be too long before the word spreads and the board starts asking for cyber risk in dollars and cents. With that request alone, the corporate culture ship starts to turn.
Have you proven value with quick wins?
Start with small wins: To procure an application like RiskLens, some level of executive support exists and it’s likely with the CISO or CIO. The IT Risk Management team can add a lot of value to these internal stakeholders.
By using quantification to enable better spending or resource allocation decisions or increasing visibility of operational risks (i.e. patching), you can bet that sooner or later, business stakeholders will start to take notice.
IT offers a wealth of opportunities for quantifying risks.
- Measure the effectiveness of a new control that is being considered by analyzing the amount of risk it can reduce.
- Find out what threats are coming into the SOC and quantify the potential impact of an actual breach.
- Quantify the risk associated with one of the vulnerabilities on your external web server.
- With time, not only does the team improve on performing quantitative risk analyses, the playbook documenting from where and whom to get data starts getting developed.
Does your top leadership know enough to ask the right questions?
Top leadership provides the direction for the initiative and actively supports it: As an IT project manager in a previous life, running a project with top management support was a dream. Resources were made available to me when I needed them, decisions were made quickly, and progress proceeded rapidly. No need to hurry up and wait for anything. Whether it be the board, risk committee, or CIO, IT Risk Management needs active executive support.
If your upper levels are still rallying around controls and measuring effectiveness through controls-based comparisons, your problem starts there. Start with providing some executive level education.
Up until a few years ago, quantifying cyber risk was touted as impossible. Perhaps it was, but things have changed.
We’re not talking about a whiz-bang application that calculates cyber risk in a black box and out pops a number. Instead, RiskLens leverages an internationally recognized, highly defensible and proven risk model that leads to a more rigorous understanding, evaluation and communication of cyber risk.
- Share who else in your industry is looking at or adopting FAIR and point to the 2,200 members of the FAIR Institute. That will get leadership's attention.
- Perhaps, reviewing a concrete, business driven case study on a particular area of concern may do the trick.
- Or perhaps pointing them to recent articles that educate leadership on what questions to ask on cyber risk will get them interested. Try this: 5 Questions Boards Should Ask About Cyber Risk.
More tips on succesful risk quantification programs: