At RiskLens, we’re all about defining and refining “risk” to laser focus on what can be measured (in meaningful ways), prioritized and ultimately managed. When we hear loose use of terminology in the risk field, our antennae go up.
We frequently hear customers use two terms interchangeably to describe their needs: “cyber risk” and “technology risk”. They sound like they should mean the same thing but they don’t. We offer these handy definitions:
We’re talking bad actors maliciously causing harmful events in cyberspace here--ransomware, stolen data, and the rest of the uglies. Strictly speaking in the terms of the FAIR model that powers RiskLens, cyber risk is the probable frequency and probable magnitude of future losses associated with these events.
Cyber Risk is a subset of…
Technology Risk (or IT Risk)
Includes all of the above, plus fat-fingered employees accidentally emailing out sensitive information, software glitches, tripping over power cords, the flood at the data center—or any other risks to information technology or information that negatively impact business operations.
(Failures to comply with regulations around digital operations, for instance the HIPAA rules for a hospital or the PCI rules for companies accepting credit cards, might sound like candidates for technology risk, but managing compliance is only tangentially affecting risk and should probably be treated as a distinct risk domain within organizations.)
Technology Risk is a subset of…
Any event that affects an organization’s ability to operate.
What Do These Risk Categories Mean Functionally for Organizations?
Adopting the hierarchy above means the Cyber Risk group would report up to the Technology Risk Group which would report up to the Operational Risk Group. In practice, cybersecurity and technology risk management are often treated as peers, reporting to Operational Risk.
Jack Jones, creator of the FAIR model and co-founder of RiskLens (and a veteran cybersecurity officer and consultant) comments that “Information security as a function has been around for decades, whereas Technology Risk as a formal and distinct focus is relatively new.”
Regardless of org charts, says Jack, organizations need to “normalize how they think about, measure, and communicate risk. If you have Cyber Risk and Technology Risk groups that measure and communicate differently about risk, you have a big problem.”
With the FAIR model’s quantitative approach as a foundation “an organization can compare apples to apples across risk disciplines, prioritize based on risks and understand the cost benefit of risk management,” says Jack.
The RiskLens platform applies quantitative analysis to cyber risk, technology risk and operational risk.