When planning for the adoption of quantitative risk management, organizations need to identify a clear scope and set of objectives to guide the initiative. This, in addition to support from executives like the CISO and CIO, is the main prerequisite to a successful quantitative cyber risk program based on FAIR™.
But what do the first 12 months look like? Here are some successful one-year objectives we’ve seen from our customers.
How to Write a Charter for a Risk Management Program
1. Prioritize/Track Security Initiatives
Many RiskLens clients kick off their cyber risk quantification (CRQ) program by measuring the risk reduction and ROI of high-profile security projects. For example, one customer ran cost-benefit analyses for 15 initiatives as a part of their 3-year security roadmap. This insight prioritized which projects should be completed first and allowed them to track and communicate the impact to stakeholders throughout the organization.
Another customer has implemented a policy that any new security initiative over $500,000 requires a RiskLens analysis as a part of the financial approval process. On numerous occasions, this simple policy has shown a considered project had little to no impact on risk reduction.
Joe Vinck is Regional Sales Manager for RiskLens. Contact Joe on LinkedIn or via email: email@example.com
Think Fast - Justify and Prioritize Cybersecurity Investment Decisions in an Hour
2. Report to the Board and the Business on Cyber and Technology Risk
Cybersecurity risk has never been more important to senior leadership in large organizations. As a result, boards of directors and senior executives should gain a financial understanding of the risk cybersecurity and technology pose to their businesses.
RiskLens clients can develop top-risk dashboards (see the example below) that show aggregated risk categories, riskiest assets, specific events that would lead to loss, plus ongoing security initiatives that will reduce risk. Business leaders and boards will be able to immediately understand this type of reporting, and clients establish a quarterly or monthly cadence for reporting updates. Clients can keep these dashboards fresh via the RiskLens Data Export API.
Report to the Board in Financial Terms with a Cyber Risk Dashboard
The RiskLens Academy offers training in FAIR™ quantitative risk management.
3. Integrate with GRC
If an organization has an existing GRC program or technology, they may need to have a seamless integration between their risk register (GRC) and their risk management/decision-making platform (e.g., RiskLens). Additionally, they can build a lightweight process to establish an intake form, create an entry in their risk register, analyze within RiskLens, then make a decision to treat, tolerate, or transfer.
This lightweight process helps to integrate FAIR (and RiskLens) within an existing program while setting things up for increased demand once the program takes off.
Do You Need a GRC Before Implementing RiskLens?
For any risks that are analyzed with RiskLens, the results can be exported for uniformity within the GRC risk register via our partnerships with ServiceNow and MetricStream, and through open APIs for other GRC and IRM solutions.
Video Introduction to the RiskLens Platform for ServiceNow GRC Users
4. Understand the Value of Projects for Risk Reduction
Security teams never struggle finding potential projects or activities that can keep them busy. That being said, prioritizing and making trade-off decisions for security resources can be a headache.
As companies get started with quantitative risk management, they will regularly conduct cost-benefit analyses on planned or considered security projects. This can help earn buy-in among the security team and with key stakeholders throughout the business.
Finance Company Assesses Risk of Data Breach from Shared Storage
5. Perform Fast Risk Assessments for Ad Hoc Requests
Lastly, clients will set a goal to leverage quantitative risk management for ad hoc, tactical assessments. These can be things like audit findings, emerging risks, and policy exception requests and are used to rapidly determine loss exposure so the organization can make effective business decisions.
While security teams will regularly be asked to grant a “high-risk” exception request or treat a “high-risk” audit finding, this brings a data-driven approach to understanding and improving decision-making with these recurring requests.
Guide to Using Rapid Risk Assessment on the RiskLens Platform
To wrap up, clear objectives like these are an essential component of a successful quantitative risk program. This will accelerate the value delivered by risk quantification, generate demand for additional assessments throughout the business, and establish a strong foundation for an ongoing program.
If you’re considering the adoption of FAIR & quantitative risk management, I’m happy to connect to discuss what similar objectives could entail for your organization. You can reach me on LinkedIn or via email: firstname.lastname@example.org.
Contact us for an introduction to all the capabilities of the RiskLens platform and consulting services.