Security professionals can close the communication gap with the rest of the business by analyzing cyber risk in financial terms with the help of the FAIR model. But they also need to take a second step: Learn the business.
As RiskLens Risk Science Director Jack Freund writes in a new column for ISACA, Risk Analysis Requires Business Acumen:
“Far too often, risk analysts are brimming with knowledge of controls and threats but have little understanding of how an organization makes money. This means they are innately unable to complete a risk assessment as they are missing information to appropriately assess business impact.”
Jack, the co-author of the FAIR book Measuring and Managing Information Risk, offers this to-do list of topics to learn:
- Business strategy, goals and objectives
- Financial results
- Business market for your organization
- Customer segments in that market
- Your organization’s unique profile in the market
- How your organization sells its products and services (sales channels including web, mobile, retail, etc.)
“Having a working knowledge of these areas of the enterprise enables a risk analyst to better assess loss magnitude forms such as productivity, competitive advantage, fines and judgements, and reputation damage,” Jack writes. “Upgrading your business acumen will improve your ability to assess business loss and by extension risk.”
Also by Jack Freund: ZombieLoad at the Gates - FAIR on Defense (FAIR Institute Blog)