It feels like a lifetime ago that I started working in January as Sales Director, EMEA, for RiskLens – the world was a very different place then. Despite all the change, it’s been a really positive start with the company, riding the rapid growth in demand for FAIR™ cyber risk quantification and the RiskLens platform that operationalises FAIR.
Looking back, there are common themes that have been apparent from the meetings with prospects and partners throughout the region, which I wanted to share. It will be interesting to see how these evolve as we get through this challenging time, and organisations adapt to the new normal.
Jamie Douglas, Sales Director for Europe, Middle East and Africa, based in London, came to RiskLens from IBM Security where he led sales efforts in Northern Europe and the UK.
Legacy Rules: Qualitative Risk Measurement Still All Too Common
Qualitative analysis rules the roost here in EMEA. Organisations are today investing significant sums of employee hours (and therefore cost), into building qualitative reports for cybersecurity risk reporting.
I came across a variety of approaches here – Some were as simple as a 3 x 3 heat map, but I did come across one organization running an 8 x 8 heat map! My favorite anecdote was from a risk analyst saying that she and her colleagues spend the vast majority of their time in religious debates, pulling together meaningless reports that nobody ends up reading anyway.
We have a hugely dynamic threat and technology landscape, with decision making done on a colour coded spreadsheet (which is pulled together in a very subjective fashion). As the cyber and risk markets continue to evolve (perhaps most notably as GRC morphs into IRM), coupled with the ramp in pressures on cost and spending following the COVID 19 crisis, qualitative risk reporting is going to be exposed for the inadequacy it is, and those colour coded spreadsheets will hopefully be assigned to the bin.
Expectations of CISO’s Are Higher than Ever
The function of the CISO has increased significantly over the years, to the point where most large enterprises have significant security budgets. With the budget comes an increase in expectation on the CISO, as well as closer relationships with all parts of the business. I have met with a number of CISO’s who find themselves in regular meetings with the board and/or exco’s.
It is now more critical than ever that the CISO not only understands the business, but is able to communicate in a way that the business understands. The days of presenting threat and vulnerability data, coupled with colour coded heat maps, are numbered.
A CISO I spoke to was well aware of the fact that he could not keep presenting back to business on the heat maps they were using. His concerns were two-fold – how do they keep requesting more money when everything is still red, and secondly, how do they demonstrate success? At the moment their only real measure of success was that nothing significant had happened. Was that because they were lucky or good at their jobs?
Risk Quantification will dramatically change the way the security organisation communicates with the business. Take a look at this presentation by Mark Tomallo, CISO at Ascena Retail, from the FAIR Institute breakfast during this year’s RSA Conference, describing how his usage of FAIR™ and RiskLens aligned security to their lines of business—and that nothing in his 22 year career in security had changed the perception of security within the business as much as risk quantification had.
Budget Pressure Is on CISOs
Finally, security organisations are under increasing pressure to justify their budgets – or else take budget cuts. The vast majority of spend, however, is either compliance checklist and/or maturity model driven and not based on a return on investment that only quantitative analysis can present.
When your CFO knocks on your door and has the difficult chat about cost reduction, what do you cut? How do you priortise? Having an understanding of your risk scenarios and the associated exposure in financial terms will certainly help here. Adding in ‘what if’ analysis to understand how that risk exposure changes with certain investments puts you in a very strong position to work with the business owners to understand their exposure. From there, the decision is theirs – they can choose to ride the risk, or invest to reduce it.
The world as we know it is changing every day, and it seems that the world we all knew, and what was normal to us will not be returning, certainly for the short to mid-term. We will need to adapt to the new world, get more creative and smarter about how we manage and prioritise our precious resources. Cost and spend will be under huge pressure, and with the cost of attack far cheaper than the cost of defence, our adversaries will be ready and waiting.
We have seen growing interest in FAIR in regions outside of the US, most notably here in Europe. In order to help with the increasing levels of interest, we have partnered with the FAIR Institute to deliver a series of webinars, starting in May, for those new to FAIR and risk quantification, as well as those who are aware, but would like a refresher. The webinars will be delivered by Jack Jones, 3 x CISO and author of the FAIR model. For more information, and to register for the webinars, please follow the links below:
RiskLens is leading a revolution in the way cyber risk is assessed, measured and managed by bringing to market a Software as a Service solution that makes cyber risk quantification a reality.
We help organizations translate cyber risk from the technical into the economic language of business.