If you’re the pioneer who’s going to introduce the FAIR model and the RiskLens platform to your organization, you’ve got a great story to tell — but you’ll need to tell it to a small village of stakeholders, each with their own points of view, agendas and standard operating procedures. Here are some tips on pitching cyber risk quantification to some key constituencies, starting with…
Read this blog post by an experienced RiskLens Professional Services team member for ways to build the right relationships before even running your first analysis.
IT Risk Team
FAIR concepts are logical, don’t require heavy math lifting and should be easy to grasp for risk analysts. In this blog post, we cover Three Key Competencies for an IT Risk Team that answer questions on how quantification gets done: defining a risk scenario, mapping risk to the FAIR model and gathering data for the analysis from subject matter experts.
IT Audit Team
In How to Explain FAIR to Auditors, a former auditor turned RiskLens risk consultant describes her a-ha moment realizing that “the overarching themes from auditing are still present” in FAIR analysis, that is, assessing the degree of cyber risk related to a particular asset. But the traditional audit approach is to only consider controls around the asset — FAIR enables a much broader view of risk.
Enterprise Risk Team
Read Introducing Cyber Risk Quantification to Your Enterprise Risk Team – the key message here is that FAIR brings cyber risk management into the big tent of ERM by applying the same financial analysis to cyber as in other risk disciplines. Additionally, FAIR is compatible with the well-known and adopted risk management frameworks (i.e., NIST RMF, ISO 31000, COSO ERM, HITRUST, etc.). Related topic: Chief Risk Officer’s Intro to FAIR and Information Risk Quantification
Chief Financial Officer and Other C-Suiters
With FAIR, risk and security teams can finally answer in financial terms the bottom-line questions from the C-suite such as
Chief Information Security Officer
FAIR and cyber risk quantification shouldn’t be a hard sell to the increasingly endangered job category of CISO. The title for this article by RiskLens CEO Nick Sanna says it succinctly: Cyber Risk = Business Risk. Time for the Business-Aligned CISO. “Data breaches, ransomware and other cyber attacks causing massive reputation issues (Equifax), knocking down merger prices (Yahoo!) or interrupting operations on a global scale (the NotPetya virus victims), have elevated cybersecurity concerns from the server room to the boardroom.” Not just boards, but regulators such as the SEC are pressing Infosec managers to disclose and manage cyber risk with a financial perspective. “It’s a great opportunity for CISOs,” Nick writes, to elevate their status in the organization — if they can lift up their view of risk from a focus on patches, maturity scores and other technical terms, and become truly business-aligned.
Get trained in FAIR cyber risk quantification, learn to measure, manage and communicate about risk in financial terms. RiskLens is the world leader in training security and risk professionals on the FAIR risk model.Learn About FAIR Training