Its no secret that information security organizations have more work to do these days and are expected to do it on flat or slightly increasing budgets. Not to mention that staffing positions can be a struggle. Sometimes, risk quantification can seem daunting and assigning a color or simple rating to risk seems more efficient. But think about it - how effective is it? Is that really helping you to make big decisions required by the organization or to help you prioritize your risks? Do you find your Risk Management team having robust, and defensible conversations when trying to determine if a risk is red or red-orange? I’m guessing the answer is no…
So why is quantification so important? I’m going to list out three items that have come up in recent conversations with customers:
Rebecca Merritt is Manager, Professional Services, with RiskLens.
1 Budgeting: Change the Terms of the Cyber Risk Conversation
You’ll finally be able to talk to your leaders in terms that they understand – dollars. Telling business leaders that the risk is ‘red’ and they should take action because of this ‘red’ item does not help them to make a well-informed decision on what to do – put yourself in their shoes – would you feel comfortable making a multi-million-dollar investment on something when you only understand where it sits on the rainbow? If you look at it from that view, it seems ludicrous. Give your leadership actionable information to make decisions on where to spend budget.
2 Project Prioritization: Focus on ROI
Have you ever been two years deep in a project that was intended to help the organization only to find out that it didn’t provide a ton of value or that it really isn’t something that the organization should invest so many resources in? We’ve all been there – and honestly, if we could have provided financial-based data and reporting on why this solution isn’t as great as Joe in Cybersecurity believes it is, wouldn’t that save us all some headaches and caffeinated nights?
Quantification allows you to deliver the cold hard facts – emotions removed. If someone has an agenda for a solution they want to be implemented, it will get squashed (or validated) with the simple act of quantifying the probable risk reduction vs the investment. That in of itself is why so many customers choose quantification.
3 Strategic Direction: Get the Organization Moving Together
This one is less quantification and more to do with the FAIR model, and socializing a shared, standardized approach to problem solving around risk. FAIR is not only about controls or loss – it takes a holistic approach. I’ve heard it time and time again – FAIR helps us think through risk to truly assess the loss event. And in thinking through the loss event, we can gain insight into our processes and priorities.
I am on-site with customers quite a bit and some of the conversations I hear are so valuable for the organization that I truly believe would not have occurred if they were not thinking through the model.
It’s not always about the numbers at the end of the day, but the conversations that brought you there. It’s defensible and it makes sense.
If you want to jump on the FAIR train, reach out to our team at RiskLens to schedule a demonstration.