A RiskLens pilot is a test drive, a mini-implementation of the RiskLens platform in your environment with your data. Coming into the pilot, the main focus is to complete a risk analysis using real numbers from the company to assess their current state risk. We also look to perform a future state or iteration of the current state baseline analysis to look at the change in risk if the organization were to implement a control – say encryption, a new system, etc.
Each RiskLens Professional Services analyst has his or her own style of leading a pilot engagement for a customer, but the flow is always going to be pretty similar. Here’s how it goes day by day:
Brief overview of the FAIR risk quantification model – we usually spend the morning level setting everyone on what FAIR actually is. Don’t get me wrong, this does not replace our awesome FAIR training, but it is a start for new analysts. From there we jump right into the analysis process. We confirm what the objectives for the week are and talk through how we will achieve them.
The afternoon typically consists of getting the analysis scoped in the RiskLens tool and mapping the analysis to the FAIR Model. We focus on the goal for the week – what is our analysis about and how does it map to the FAIR Model? This can take up the rest of the day because we really like to spend time to make sure the analyst team we are working with understands the process and the mapping exercises we perform.
Learn more: How to Scope an Analysis Using FAIR
This day is usually the most intense – data collection! If analysts are new at collecting quantified figures for the analysis process this can be a little challenging for organizations that are used to assessing risk in qualitative terms, such as arranging risks on a colorful heat map according to the best guesses of the analysts. But have no fear, that’s why our Professional Services team is there! We coach you on talking to subject matter experts to get data or making calibrated estimates for less confident data points.
Before we are on-site we always ask if the room for meetings will have a whiteboard. This day will show you why we need a whiteboard! You can often find our team scratching out notes, writing out calculations, or drawing attack chains so everyone understands the analysis fully!
Given how our first day of data gathering goes this day could potentially be pretty easy for the team. We continue to gather any outstanding data that we may need from SME’s, make our final estimates. Additionally, when doing a pilot, we love to show a future iteration or control change that could improve your current environment. This is helpful to show the great reporting the RiskLens tool has as well as showing a cost-benefit analysis, which most organizations do often.
Finally, it’s time – we can hit the ‘run’ button. It takes just under a minute to run thousands of simulations in the Monte Carlo analysis and our Professional Services team will walk you through all of the reporting. From here we focus on any areas that may need refinement. Maybe we need to rethink a data point or talk to our SME’s again. After we feel confident in the analysis and work performed, we wrap up for the day and the Professional Services team takes it from here. We spend the rest of the day building out a report to present to the team the following day.
We like to bring everyone back into the room for a results presentation: stakeholders (typically the CISO, ERM, IT Audit), the analyst team, our team at RiskLens, and any other individuals you’d like to be involved in this session. The Professional Services team and your analysts develop a pilot results presentation. I always like to level-set the room on what the analysis was about and then dive into the results from there. We always spend some time after presenting the results to talk through any questions or concerns. Additionally, our team describes how you would build a quantitative risk management program with RiskLens based on other customers’ experiences. This helps us to gauge what the strategic priorities are and what usage and services could be expected.
Note: Every pilot is different – they can have twists and turns that cannot be predicted. This is the flow we aim to take but if your pilot may go differently depending on your needs.