From Qualitative to Quantitative Risk Assessments: A Cultural Shift

Managing projects and cyber risk

Technology, processes, and people are the three key components of project management. They also happen to be the three key components driving organizational change. After all, aren’t projects all about managing change?

In my experience as a project manager and consultant, most organizations focus on technology and process when implementing change and do not spend enough time on the most important piece of the puzzle: people. The cultural change required to implement, adopt and sustain new technology, is the principal cause for poor investment ROI.

The major change affecting the cyber security industry is the transition from a compliance to a risk-based approach. Organizations have realized that compliance only provides a minimum level of security coverage and that a business-aligned risk management approached is needed to best protect an organization’s crown jewels. Security controls can no longer be applied flat across all the IT infrastructure. In short, organizations need to understand what matters most to their business and what risk mitigation initiatives are most effective in protecting them.

Facilitating the cultural shift in moving to quantitative risk assessments

RiskLens customers have embraced this change and are leveraging the standard FAIR quantitative risk model and the RiskLens platform to build business-aligned risk management programs. It is not uncommon for us to hear CISOs or Risk Officers expressing the need for a new way of thinking within their organization. As most of their risk team members have been involved for a long time with managing technology compliance checklists, they are left wondering what it will take to facilitate a cultural shift within their organization.

First of all, communicate why the shift is necessary – i.e., what’s not working now, and why it’s an important enough problem to endure the pain that comes with a culture change. In the risk management space, this boils down to:

  1. “Our organization can’t prioritize effectively and isn’t able to measure or communicate the value proposition for improvements in controls.”
  2. “Debates regarding whether something is ‘high risk’, etc. become religious arguments that rarely are resolved. Or, if they are “resolved” it isn’t through logic, but rather by whoever has the loudest voice or biggest stick.”
  3. “Our organization is not able to effectively balance risk management efforts vs. investments in growing the business.”

Then, provide them with the necessary educational materials that will facilitate that cultural shift from a qualitative to a quantitative mentality. Here are some resources that our customers have found particularly effective:

  1. FAIR Book
    • Make the book  “Measuring and Managing Information Risk: A FAIR approach” by Jack Jones and Jack Freund required reading. This will help your team members understand and appreciate the theory behind the actions. Lack of action is often due to lack of clarity.
  2. FAIR Training
    • Ensure that all the stakeholders attend an in-person training session. Consider existing and new risk analysts, executives, IT auditors and ERM representatives. By decomposing risk in discrete factors, the FAIR standard provides a framework for critical thinking that gets users to think and speak of risk in business-aligned terms, dollars and cents.
  3. FAIR Institute
    • Ask your team members to join the FAIR Institute, to continue to interact with their peers and with industry leaders via online resources, online workgroups, local chapter meetings or by attending the annual conference. Membership to this expert, non-profit organization is free.
  4. FAIR Institute Blog & RiskLens Blog
    • Have your team members sign up for the blogs and learn directly from expert practitioners. In these articles, industry leaders help demystify and make changes clear and accessible. Referenced case studies help understand why the fallacies regarding risk quantification are wrong, and that the problem/solution isn’t rocket science.

In addition, creating an internal cadence for regular meetings to discuss FAIR, and organizing a FAIR book club, will create internal communication and discussions that will break through the inertia of old practices and make the quantitative language of risk the new standard within your organization.