Recently on calls, I have heard the following questions more frequently:
How mature are the organizations that implement RiskLens?
How much data is needed? I don’t think we have enough data for risk quantification.
Completely fair questions (no pun intended). But let’s tackle this in three parts.
This is a bit of a loaded question. Here are a couple of key requirements we have seen that will set you up for success:
1. You and your key stakeholders need to buy in to the Factor Analysis of Information Risk (FAIR) risk model. While every organization is different, we have found that IT security/risk councils typically decide how to communicate internally and externally about cyber risk. These IT security/risk councils are comprised of stakeholders from various parts of the organization along the three lines of defense: Security Operations, Information Risk Management, ERM, IT Audit, IT Compliance, etc. The sooner you get these stakeholders involved in evaluating FAIR as a common taxonomy and model for cyber and operational risk, the sooner the questions they have can be answered.
The first likely question in many organizations will be: Wait, don’t we already have a risk management framework in place? The answer: The FAIR model is compatible with risk frameworks such as NIST CSF or ISO 2700x, and enhances them by adding an economic dimension to risk assessment reports. Read this: Adding Dollars and Cents to Your NIST CSF Reporting with RiskLens
2. Configuration of the RiskLens Cyber Risk Quantification (CRQ) application to your organization’s environment. Don’t worry – we’re here to help get you set up! We understand that not all companies are the same; your assets, threats and forms of loss are different from other companies. During the RiskLens onboarding process (approximately two to three weeks), one of our Risk Consultants will help configure the asset and threat libraries as well as the loss tables to your environment.
3. Finally, at least one dedicated risk analyst to perform FAIR based risk analyses on the RiskLens CRQ platform. We have found that you need at least one analyst for the implementation of RiskLens to be successful, who must be trained in FAIR as part of onboarding or self-educated through our online FAIR training.
RiskLens Readiness Checklist:
I’ll answer this in a range (just like the output from a FAIR analysis!): Some organizations are just starting their journey of implementing a risk management program and exploring their options. Others already have a risk management program. Of course, there are always some who are in between the two. Let me elaborate a little more on this.
For those who are just starting your journey, not to worry, this does not mean that you aren’t mature enough. In fact often having a clean slate to start on is the best situation to be in. You don’t have to fight a status quo or a home grown solution.
For those who already have a risk management program in place, this doesn’t necessarily mean that you will have to fight status quo; as I mentioned in Part 1, the FAIR model works in together with existing frameworks to produce better risk reporting.
Most of our customers underestimate the amount of data they have – they actually have more data than is necessary for risk quantification. Having said that, the RiskLens CRQ application and processes have been designed to take the reality of limited or poor quality data into account. Our risk quantification analyses can be run with very few inputs, by leveraging the power of advanced mathematical simulations to produce meaningful probability distributions. When historical data is not available, our proven calibration approach will teach your teams how to produce high-quality estimates. Additionally, the platform comes with a series of common data sets that can be used as initial inputs for most organizations.
If quantification is something that your organization is interested in bringing in – don’t count yourself out because you think you’re not mature enough. FAIR and RiskLens provide a structured and guided approach to cyber risk quantification for organizations of any level of maturity.