You get it. Cyber risk quantification is where the cyber security industry is heading, and you want your organization to be ahead of the curve. However, your boss is not convinced yet.
If you're facing resistance and objections internally, we've probably heard them before. This blog is here to help you address your boss's concerns, demonstrate the value of a risk-based, quantitatively focused cyber risk program, and get his/her buy-in and support.
Listed below are some of the challenges that we hear most from cyber risk executives, along with resources and answers that will help them make an informed decision about whether cyber risk quantification is right for their organization...and it just might convince them along the way.
- You told me before this can't be done
- Cyber risk quantification is not only possible, but it's also scalable at an enterprise level and has been adopted by large organizations in a variety of industries, spanning from financial services, to retail and healthcare.
- What made this possible is the emergence of a standard quantitative risk model for cybersecurity (FAIR) and software such as RiskLens, that made FAIR-based analyses easy to conduct and operationalize.
- Quantifying cyber risk sounds complicated and time-consuming
- The FAIR model brings efficiency to the risk assessment process by providing a practical breakdown of the factors of risk, bringing order and consistency to every analysis.
- The RiskLens software provides an easy-to-use, guided workflow and data libraries to complete FAIR-bases analyses even in situations where data is limited or uncertain.
- Is anyone else asking for cyber risk quantification?
- Board of directors and business executives in many large organizations are increasingly asking to understand the value of cybersecurity programs. They are hiring CISOs or Risk Officers that can articulate cyber risk in financial terms and calculate the ROI of cybersecurity. It is no longer satisfactory to only answer questions about the impact of cyber risk to the business in terms of "High, Med, Low" and "Red, Yellow, Green."
- Industry regulators are asking organizations to adopt formal risk models as the basis of risk assessments. In addition, US federal banking regulators are actually pushing large banks to conduct risk assessments in quantitative (financial) terms, as outlined in the proposed new cyber risk management standards by the Federal Reserve, the FDIC, and the OCC. FAIR is recognized by the regulators as a valid risk model for quantitative risk assessments and is explicitly called out in the new standards referenced above.
- Who else is doing it?
- Cyber risk quantification has been embraced by some of the largest organizations in healthcare, banking, retail, telecommunications, insurance, technology, and manufacturing, whose typical revenues fall in the range of hundreds of millions to dozens of billions of U.S. dollars. Several Fortune 50 and top 10 banks are leveraging RiskLens for their risk assessments. You can read more on this here.
- The FAIR Institute - an expert organization whose mission is to provide opportunities for cyber risk executives and practitioners to learn about risk quantification using the FAIR risk model, exchange best practices and network among peers - has experienced exponential growth since its launch in February 2016 and counts over 700 members at the end of 2016.
- How credible is it?
- The FAIR risk model, that RiskLens uses as a basis of its risk analyses, is an international standard adopted by The Open Group. The Open Group is a global consortium that enables the achievement of business objectives through IT standards. It has more than 600 member organizations including technology companies such as IBM, HP and Oracle; large enterprises; government organizations, and academic institutions. The Open Group selected FAIR as it standard risk assessment model after a rigorous evaluation and comparison with other models.
- NIST recognizes FAIR as a complementary standard to the NIST CSF for organizations that need to quantify and prioritize risk in financial terms. NIST has listed an article series outlining the value of the combined approach in its Industry Resources page.
What do analysts say?
- Customer requirements for risk management have changed significantly according to analyst John Wheeler, who in a LinkedIn post announced that Gartner shifted their research focus from GRC to Integrated Risk Management.
- John Wheeler identifies "risk quantification and analysis" as a critical capability for operational risk management solutions in its 2016 research noteon the subject. Without a capability to quantify risk in financial terms, proper assessment and cost-effective prioritization of risk cannot be performed.
- Why change what's working?
- It seems that the cyber security industry has risk management under control. Yet, during engagements with customers we often find that over 50% of risks in their risk register are not really risks. This is because no-one is operating with a consistent definition of risk and are mostly concerned with controls checklists, leaving key risk management factors such as asset and threat visibility out of the equation.
- Without a comprehensive and consistent definition of risk, assessing risk becomes a futile exercise that mis-represents risks in fundamental ways and does not enable the kind of decision making that risk assessment should enable in the first place.
- Are we mature enough?
- What we have consistently found among organizations who have been successful with RiskLens is that executive support is a more important factor than the maturity of an information risk management program. Most customers were stuck at qualitative risk assessments and initially assumed that they didn't have enough data. After putting RiskLens to the test in a pilot, common feedback is "quantifying risk was much easier than we imagined, and the data requirements were much less than we anticipated".
- RiskLens' workflow for risk analyses helps organizations leapfrog to a higher maturity level by guiding users to consistently apply the principles of risk quantification as outlined by the FAIR standard, step-by-step.
- Can we do FAIR analysis ourselves?
- FAIR is an open standard published by The Open Group and you can practice performing single risk analyses via spreadsheet. If you intend to build more sophisticated analyses that involve the use of ranges for data inputs, that leverage Monte Carlo simulations, and aggregate multiple risk scenarios, the spreadsheet approach will not scale. We've been there, done that and so have several of our customers that went that route in absence of a commercially viable solution.
- The RiskLens software platform, that has since been released, does the heavy lifting for you and provides very powerful aggregation and what-if-analyses, that automatically generate the type of reports that business executives, the board, ERM and the auditors expect from your organization.
- How do I ensure I get value and ensure against this becoming shelf-ware?
- Every RiskLens subscription includes a minimum set of services such as training and on-boarding to ensure that our customers possess the required skills to perform quantifiable risk analyses.
- In addition, RiskLens' Customer Success team has developed an adoption methodology that guides organizations through the various phases of a successful cyber risk quantification program and that measures progress at every step. You can read more about it here: The 5 phases of successful cyber risk quantification programs.