In a recent interview, James Lam, renowned expert on governance and risk and newly appointed RiskLens board member, was asked to describe his perspective on bringing cyber risk management under the enterprise risk management (ERM) umbrella. His response captures a key pain point of traditional risk management reporting: the lack of a common means to communicate risk across the enterprise.
“The history of ERM indicates that managing risk by silos doesn’t work because risks are dynamic, they have critical interdependencies, and they need to be aggregated at the enterprise level. Unfortunately, cyber being the 'new kid on the block' in many situations has resulted in it being managed as a silo with different methods - and that’s a real pitfall.”
Our experience at RiskLens shows that organizations that have successfully implemented cyber risk quantification programs (leveraging the FAIR model) share a common set of practices and behaviors including: clear establishment of program goals and criteria for measuring success; cultural adaptation and training on FAIR; and adoption of required knowledge, practical application, and supporting services to conduct quantitative analyses via a decision support platform such as RiskLens Cyber Risk Quantification (CRQ). RiskLens has documented these practices in an actionable blueprint for success, which many organizations have leveraged to build their own quantitative cyber risk management programs.
Keeping this blueprint in mind, below are a few examples of practices that risk analysts, CISOs and CIOs can leverage to effectively introduce cyber risk quantification to their organization.
Pilots / Case Studies
Many organizations have successfully introduced the concept of FAIR to their Enterprise Risk teams by establishing quick wins via pilots or case studies. One success story came from a customer that was able to obtain buy-in from their organization via a case study that was performed to analyze the amount of risk exposure (in dollars and cents) for a small IT department from a breach, which helped to expose the underlying cost associated with tracking and resolving helpdesk incidents.
The results were so well received by leadership that they started gaining traction performing similar types of analysis in other areas of the business. In another example, the results from a successful case study triggered a message from the C-suite that quantitative risk analysis via FAIR would become a prerequisite for any key audit findings before they could be reported up through leadership.
There are a multitude of use cases for FAIR and RiskLens that span beyond just the concern of IT executives. Whether it’s preparing for upcoming regulatory requirements such as GDPR and NYDFS or helping to justify existing or future expenditures, quantitative cyber risk analysis via RiskLens can be leveraged to drive meaningful and actionable results.
As with any organization that is successful in implementing change, support and buy-in from leadership is an essential prerequisite to success. Achieving buy-in is much easier if executives are familiar with the FAIR model, and are then supported by risk managers and analysts trained on FAIR.
RiskLens offers both a live and online FAIR Fundamentals training course designed for any audience new to FAIR, including executives, SMEs, and new risk analysts. RiskLens also recently launched a FAIR Analyst Learning Path course which covers the skills risk analysts need in order to be able to quickly and consistently produce high-quality analyses and present results
Integration with Existing Risk Management Frameworks
A common misconception with FAIR is that it competes with well-known and adopted risk management frameworks (i.e., NIST RMF, ISO 31000, COSO ERM, etc.). In fact, FAIR is designed to complement existing risk management frameworks. In many cases, FAIR serves as the missing component to effective risk management as it enables the measurement of risk.
RiskLens’ CEO Nick Sanna, captures this point in a recent FAIR Institute blog post, stating that “when it comes to assessing risk and providing the data to inform those strategies, i.e. identifying, measuring, prioritizing, reporting risk [a risk management framework] does not provide any indication of how to do it.” An increasing number of organizations are beginning to make this connection and leveraging the power of cyber risk quantification to enhance their overall risk management programs.
When reporting cyber risk to executives, the Board or other key stakeholders, organizations that have adopted FAIR have found success in gradually introducing quantitative metrics to their existing qualitative reporting vs. a rip and replace approach. Introducing quantitative figures next to existing qualitative scales can help maintain consistency with the reporting that the audience is accustomed to, while providing additional context that enables meaningful decision making in a language that all parties can understand – dollars and cents.
Below is an example of how to associate quantitative cyber risk metrics with a traditional high / moderate / low scale:
- Very High: Losses over $25 million
- High: Losses greater than $5 million up to $25 million
- Moderate: Losses greater than $500,000 up to $5 million
- Low: Losses greater than $50,000 up to $500,000
- Very Low: Losses $50,000 and below
As risk analysts begin to obtain buy-in from their stakeholders, they can gradually make the numeric components the center of the attention rather than a number on the side. It’s important to keep in mind when leveraging this approach, as mentioned by Jack Jones and Jack Freund in their book, Measuring and Managing Information Risk: A FAIR Approach, to make sure that each level of the scale drives a different behavior. For example, if a risk is assigned a high rating but stakeholders do not care, the ratings are likely to lose credibility.
Organizations cannot effectively manage cyber risks if they cannot measure them. The time is now to take the necessary steps to help better communicate cyber risk consistently and effectively throughout your organization.