Stay Productive: Our Team’s Tips on Running Cyber Risk Analysis Projects from Home

April 9, 2020  Taylor Maze

With the impact of COVID-19 being felt across the world, more and more organizations are adopting remote models in order to continue to operate during the pandemic. As a team that operates nearly fully remote year around, the Professional Services team at RiskLens has put our heads together to come up with this list of best practices for continuing FAIR™ based quantitative risk analysis from the safety of your homes.
Taylor Maze is a Senior Risk Consultant with RiskLens.

>>Set Yourself Up for Success

Before you can get back into your analysis, you first need to make sure you have an environment that is going to encourage productivity. If you aren’t used to working remotely, here are a few tips to get set up.

  • Have designated “work” and “home” spaces in your remote office of choice. If you are taking conference calls from the same spot on the couch you usually watch cartoons with your daughter, odds are you won’t be in the right mental space to be fully engaged
  • Video calls are going to be your best friend during remote meetings – trust us, it makes a difference! During estimation sessions being able to see your subject matter expert(s) will help you to determine how confident they are feeling in the data provided and can help you to dynamically change your approach as needed. Make sure you have an appropriate background for those videos and have a good handle on the way the video conferencing system you are using works!
  • Used to using visuals in your sessions? Don’t let being home stop you! Get creative with PowerPoint, make a beautiful graphic on Canva, or if you’re an Apple user, try using AirPlay and an iPad to white board on during your brain storming sessions! This will make all the difference when working on attack chains and contextualizing FAIR.

Once you’ve gotten a handle on your perfect set-up, you’re ready to get back into the swing of quantitative risk analysis! The most important thing to keep in mind is that the same fundamentals of data gathering hold true whether you’re in person or remote, you just may need to tweak the preparation or delivery.

>>Prepare, Prepare, Prepare

The level of preparation for sessions should be the same, or higher, than if the meeting were being held in person. This includes researching the scenario purpose and scope and clearly defining the data points required. When determining what data points are needed, you should be identifying the specific questions you will need answered and who in the organization can answer them.

It is also in your best interest to have more than one possible way in which to gather the data for your estimate. For example, if you need to know the number of times in a given year that there is a successful foothold in the network via phishing, consider a couple of different ways you could get to that answer such as:

  • Utilizing the number of phishing campaigns that are successful in circumventing the filter and the related click rate
  • Attributing a portion of historical successful footholds to phishing

>>Send a Detailed Agenda, Not an Email

When at all possible, all data gathering sessions should be held as video conference or phone call, not gathered via email. This is important because it helps to reduce the likelihood of gathering inaccurate or uncalibrated data and allows the analyst to ask clarifying questions and ensure the  scope guardrails are maintained.

If time does not allow for the length of data gathering you would like, rather than defaulting to gathering via email, suggest a different meeting time or shorter duration. Thirty minutes on the phone is more productive than a week of ineffective email chains.

Our team abides by the rule “no agenda, no attenda”. In order to make the most of the time you have with your subject matter experts, be sure to clearly document the purpose of the meeting and what will be covered. We recommend including the scenario scope and purpose and the specific data points that you will be estimating. If possible, relate the purpose of the scenario to that specific individual or team to show them why it matters to them specifically. It can also be beneficial to include the ultimate audience of the scenario (i.e. this will be reviewed during the Risk Committee meeting with the CISO).

>>Don’t Take No (Data) For an Answer

It can be all too easy to fall into the trap of agreeing to let the subject matter experts send over their estimates at a later date. This can happen for a number of reasons: They feel they don’t have enough or the right information, they want to look deeper into a specific value or query a tool -- whatever the reason this can lead to huge productivity halts in the analysis process.

This is difficult enough when you can walk past their offices every day with a pointed look until it is sent; it is much more difficult without that face-to-face interaction. In order to keep your analyses from stalling, you should never leave a call without a calibrated estimate. If necessary, the estimate can always be refined later, but by gathering an initial wide estimate you can continue making progress on your analysis while they dig deeper into the values.

At the end of the day, it is the amount of preparation and diligence of the analyst, not their environment, that determines the success of the analyst.

“If the analyst is focused on the right tasks and considerations, and prepares the SME well to have that discussion by being clear about what's needed/sought, then the delivery method, live or remote, becomes inconsequential” – David Musselwhite, Professional Services Manager – Dean, RiskLens Academy