Chances are, you are somewhere along the road that David Elfering traveled on his way to ultimately building a successful FAIR™ program with RiskLens at Werner Enterprises, the trucking company, where he was Vice President of Information Security (he recently joined insurance services company ReSource Pro as Senior Director of Information Security).
David Elfering was interviewed for this video by Rebecca Merritt, Senior Manager, Professional Services, for RiskLens.
After years of qualitative cyber risk analyses (the appeal: “I could literally make the outcome of the risk assessment what I wanted it to be”) he finally ran into a pivotal experience with a CIO who, looking at a budget request for controls based on red-yellow-green risk ratings, said “’I see these things are bad. But what I have lost because I’m not already doing this?’ I couldn’t answer the question.”
Elfering tried a spreadsheet FAIR solution early on, considered the RiskLens platform, but decided to focus efforts on a GRC because it seemed to handle so many issues. “It turns out I solved about 30% of the problems and never solved one particular problem. In particular, the risk analysis just wasn’t there…After a failed six-figure expenditure I decided to just do this the right way” – and sign up with RiskLens.
He started by training some security, audit and IT team members on FAIR through the RiskLens Academy and recommends it, even if you’re not going with a full RiskLens quantitative cyber risk management program. For a small investment, “you can get everybody up to speed and speaking a common language around risk. That leads to some really improved risk discussions.”
For a next step, he did a Proof of Value engagement with RiskLens. “Within four hours, I was able to see how quickly a very professional risk analyst could work with subject matter experts to not only outline a scenario but produce the end result. We outlined millions of dollars in potential loss.”
With a full RiskLens program running at Werner, Elfering saw a major cultural impact: The image of the information security changed from “the department of finding nine reasons why something can’t happen instead of the one reason it should happen” to being business enablers.
“Using the FAIR methodology in your risk management program will absolutely engage you with the business in meaningful ways because the outcome will result in business decisions. You are able to have discussions about reducing the probability of losses to the business. That alone is just such an immense value that I really do encourage people to look at this risk journey. It does take recurring levels of effort, but the outcome is definitely worth it.”