The requirements of large cyber risk assessments
We at RiskLens partner with customers that are required to do what may seem like the impossible: analyze the risk associated with a large number of assets within a relatively short period of time. This often takes designing a streamlined process to conduct all of the analysis necessary. It also requires engaging both the risk management team and key business and/or technology stakeholders in the process. The involvement of the latter group cannot be understated, as their involvement is a fundamental and necessary component to conducting risk analysis that will accurately reflect the subject under scope.
Why does it feel like pulling teeth to get subject matter experts from the business and technology to show up to the meetings and actively engage in the sessions?
I believe it has to do with feeling like “risk analysis” is a waste of time. Much of what has been considered “risk analysis” for far too long has been nothing more than compliance box checking; asking too many unnecessary and/or irrelevant questions that do very little in the way of informing risk decisions. For some reason - possibly it’s something innate in us as humans - we believe more is better. The more questions asked must mean we have a better understanding of the subject matter. If more questions are better, then asking them frequently is super better. For many of the organizations we work with - annual, semi-annual or even quarterly “risk reviews” are forwarded to the business and technology in the form of spreadsheets or checklists from a variety of different departments including audit, compliance, risk management, etc. Simply put, business and technology stakeholders are burnt out from a poor process that adds very little value.
Moving beyond checklists with viable risk models
So where does that leave us? The answer is not definitive, as this process is so ingrained in so many organizations across different industries. With that said, there is a light at the end of the tunnel. Just like many of our customers, they’ve realized there is another – and I dare say – a better way to assessing risk that does not frustrate or burn out key members of your organization. The model is flexible, defensible, and quantifiable. I’m of course talking about the FAIR risk model. FAIR is flexible in that it is able to guide you through a risk analysis with a useful degree of precision and uses standardized terminology that improves communication between the analysts, business and technology stakeholders.