3 Steps to Prioritizing Control Investments with RiskLens

November 12, 2020  Taylor Maze

CISOs and their cybersecurity teams rarely have a shortage of controls they would like to implement in their environments. Unfortunately, what they do have is a shortage of resources to fund those investments. The question, then, is which control(s) should be prioritized? Which will provide the greatest benefit?

RiskLens recently unveiled the newest feature in our quantitative cyber risk management arsenal: Risk Treatment Analysis. The new capability enables cybersecurity teams to assess and compare risk treatment options with cost-benefit analysis. Now, going back to the shortage dilemma above, how can this new feature be practically leveraged to prioritize the CISO’s control investment wish list?

Step 1: RiskLens Top Risk Assessment

The first step is understanding what your current environment looks like from a risk perspective. At RiskLens, a top risk analysis is the first step toward a mature quantitative cyber risk management program.

The top risk assessment has two core objectives: quickly identify and prioritize the top risks at an enterprise, line of business or business unit level. The result is 20-40 properly defined risks (or loss events in FAIR™ terms) prioritized based on financial loss – dollars and cents.

Both steps are completed on the RiskLens platform with a Rapid Risk Assessment that runs risk analyses in minutes to produce flexible, customizable reporting, as in the example below, sorting by Most Severe Event -- you might also select to view Top Annualized Risks or Most Likely to Exceed $500,00 (or other limit).  The RiskLens services experts will guide your team through your initial use of Rapid Risk Assessment in a two- or three-day workshop.


Step 2: Take a Closer Look at the Highest Risk Loss Events via RiskLens Detailed Risk Analysis

The highest risk scenarios may warrant a deeper dive analysis. RiskLens recommends conducting a detailed risk analysis on items that will be leveraged to enable strategic decision-making, such as high dollar control investment decisions.

Following initial identification of risks through Rapid Risk Assessment, a detailed top risk assessment takes a closer look at 3-5 of the prioritized loss events to gain additional precision and a greater understanding of the associated risk drivers – see one example: Case Study: Financial Organization Evaluates Cyber Theft Risk Reduction Alternatives with RiskLens. The RiskLens services experts can also guide a detailed top risk assessment with a workshop for your team.


Step 3: Prioritize Control Investment Alternatives with RiskLens Risk Treatment Analysis

Now that you have an understanding of your current environment, it is time to break out that control wish list. At this stage, you will be reviewing each loss event you quantified during the detailed Top Risk Assessment and determining which of the controls on your list will impact either the frequency (how often the loss event occurs) or the magnitude (the financial impact each time the loss event occurs).

With Risk Treatment Analysis on the RiskLens platform, you can create a comparison assessment in just a few clicks which will allow you to understand the impact of each identified control on the in-scope loss events. Given that in the example above, the two highest-risk scenarios were related to information theft, you might consider what alternatives could reduce that exposure. The example below models three such controls:

Option 1: Improved Identity Access Management Controls

  • Additional layer of difficulty for threat actor to access information
  • Reduces susceptibility to attempts
Option 2: Improved Detection & Response
  • Additional visibility into attempted or successful data theft events
  • Reduces the financial loss associated with the event
Option 3: Data Encryption
  • Reduces usability, sensitivity of information
  • Reduces the likelihood of secondary losses (e.g., notifying affected parties/regulators, fines & judgments, reputation loss, etc.)

While at face value we might assume that a control intended to reduce the likelihood of the event from occurring in the first place would have the largest reduction, in this example, encryption wins by a landslide.

Using the RiskLens Risk Treatment Analysis, we can see not only the anticipated risk reduction in dollars, but also as a percentage of the baseline, as well as in relation to the cost to implement the control improvement.

Unfortunately, we cannot reduce the number of decisions CISOs need to make (or increase their budgets) but, using the RiskLens Risk Treatment Analysis functionality, we can make those decisions much easier to weigh.