By far, the most common use case I hear about adopting cyber risk quantification is the ability to make objective, risk-based prioritization and budget decisions. The new capability on the RiskLens platform, Risk Treatment Analysis, makes this use-case easier than ever.Risk Treatment Analysis powers cost/benefit analysis for security investments, showing risk reduction in dollar terms relative to the cost of controls, process changes or other risk treatments. CISOs use Risk Treatment Analysis to make informed decisions on:
- Which controls are worth investing in – and which are not
- How security budgets can be optimized
- What are the true costs of maintaining legacy systems
Below are three reasons why this new functionality will change the way you look at control improvement decisions.
1. Ability to Create up to Four Comparisons in a Single Assessment
Using RiskLens Risk Treatment Analysis, an analyst can create up to four different comparative analyses off of a single risk assessment. By doing so, the analyst can compare various control improvement alternatives side by side, reducing time and re-work. When creating a comparison off of the baseline risk assessment, the analyst can select the scenarios to include in the comparison – which can be one, a subset, or all scenarios in the risk assessment.
As an example, let’s imagine I have completed an enterprise-wide risk assessment over my organization’s top risks. I want to drill deeper into how the confidentiality-related scenarios are driving the exposure and different alternatives to mitigate that risk. Using the Risk Treatment Analysis, I can select only the confidentiality scenarios in the risk assessment to bring into my comparison. By doing so, my new baseline analysis will be the aggregate exposure of the confidentiality scenarios. Then, using the risk treatment functionality described below, I can create and assign control improvement alternatives to the scenarios.
2. Customizable, Reusable Risk Treatment Options Enhance Efficiency and Consistency
The benefit does not stop at the number of comparisons available. In addition to being able to compare up to four states, the analyst can also create, save, and apply risk treatment alternatives to the various scenarios in the risk assessment (a risk treatment is a description of a control improvement, including the itemized cost and the estimated implementation time).
Multiple risk treatments can be used in each comparison, giving the analyst the ability to model the total risk reduction across various control alternatives. In the example above, I have created two different risk treatments related to the different confidentiality related control alternatives my organization is considering.
Note: the examples below are for illustrative purposes only, the implementation time and cost is not factual.
3. Out-of-the-Box Dynamic C-Suite Level Reporting
Perhaps the best part of the RiskLens Risk Treatment Analysis functionality does all the hard work when it comes to building an executive-ready report. The report was intentionally designed to be highly consumable and objective-driven. To that end, in my comparison assessment, I am able to view the new annualized loss exposure, the change in annualized loss exposure as compared to the baseline, and my organization’s risk threshold.
It is also dynamic and customizable, allowing the analyst the ability to focus on the metrics that matter most to their audience, including whether to report based on financial change or proportional change.
To learn more about how RiskLens Risk Treatment Analysis can empower risk-aware decision making in your security, schedule a demo.