Which route to choose, depends on who’s asking for the information.
But… what if no one is asking? Or, more realistically, what if the people you want to help couldn’t give two hoots about what you have to offer, namely, identifying and quantifying their business unit’s risk?
It's a part of the start-up process we see often. What's the best way to spark the change to a new way of risk measurement and management? As I was reminiscing about various frameworks and flipping through documentation on COBIT, PMBOK and PRINCE2, a couple of core themes came to mind regarding implementation success of any new system or method.
Perhaps focusing on any one of these areas can help a struggling IT Risk Management team to get its due attention:
Find a business need or driver: RiskLens was procured because IT Risk Management identified a better way to measure, analyze, and recommend cost effective risk mitigation. However, without a business sponsor and driver an organizational effort will likely fall flat.
How can IT Risk Management get a business unit behind the effort? Which business unit cares about making better informed decisions about cost effective risk mitigation?
While business units understand their operational risks, there's a good chance they haven't thought about the cyber risks of the systems that drive their processes. In today's technology-driven world, that's a noteworthy miss and technology-savvy business representatives understand the gap.
So keep it simple and start with your peers that have indicated an understanding of cyber risk and/or an interest in your efforts.
If the business isn’t driving the initiative, it is likely the organization does not yet have a culture of cyber risk management. That’s the board’s and executive leadership’s problem. How can they be influenced to take an interest in quantifying cyber risk?
Quantifying cyber risk provides a far more effective and rigorous process, resulting in improved information for stakeholders. Proving that, and getting people to trust the new approach and ultimately buying in, especially at the upper echelons, may take time. While culture change is a formidable challenge, it is a more efficient process when it is fully supported and driven from the top.
To help get leadership's attention, show off your new quantification model and application to your friends in Enterprise Risk.
Read this: What CISOs Need to Tell the Board about Cyber and Technology Risk
Start with small wins: To procure an application like RiskLens, some level of executive support exists and it’s likely with the CISO or CIO. The IT Risk Management team can add a lot of value to these internal stakeholders.
By using quantification to enable better spending or resource allocation decisions or increasing visibility of operational risks (i.e. patching), you can bet that sooner or later, business stakeholders will start to take notice.
IT offers a wealth of opportunities for quantifying risks.
Read this: Case Study - Using RiskLens to Meet GDPR and NYDFS Regulations
Top leadership provides the direction for the initiative and actively supports it: As an IT project manager in a previous life, running a project with top management support was a dream. Resources were made available to me when I needed them, decisions were made quickly, and progress proceeded rapidly. No need to hurry up and wait for anything. Whether it be the board, risk committee, or CIO, IT Risk Management needs active executive support.
If your upper levels are still rallying around controls and measuring effectiveness through controls-based comparisons, your problem starts there. Start with providing some executive level education.
Up until a few years ago, quantifying cyber risk was touted as impossible. Perhaps it was, but things have changed.
We’re not talking about a whiz-bang application that calculates cyber risk in a black box and out pops a number. Instead, RiskLens leverages an internationally recognized, highly defensible and proven risk model that leads to a more rigorous understanding, evaluation and communication of cyber risk.
More tips on successful risk quantification programs:
Win Over Your Organization to FAIR: Tips from Walmart, Chevron, HPE
4 Successful Starter Projects with RiskLens (and 3 More to Do Next)