Our clients tell us that the Top Risk Identification Workshop is one of the quickest value services RiskLens offers. It is a two or three day onsite workshop focussed on identification of your top risks followed by a FAIR™ based quantification, powered by the RiskLens platform, to quickly triage your risk scenarios. It’s a fast-paced, efficient way to launch a cyber risk quantification program for your organization.
Here are some of the main takeaways
1. What are my Top 20, 30, 40 risks to triage?
During the first day of the workshop, we sit in the room with the main stakeholders and listen to what their top concerns are for the organization. Typically, they are IT related and we begin to develop scenarios that can be analyzed around these concerns. Often, these are broad worries like “the cloud” that need to be turned into a true FAIR scenario by defining the threat, the asset and the effect. We call this normalization.
Example: “The Cloud”
Normalized: Analyze the risk associated with an External Malicious actor breaching PII data within our cloud service Vendor.
We do this for about 20 - 40 scenarios until we have a list that represents those most probable scenarios, to then run through the rapid Triage function in the RiskLens Platform.
About RiskLens Triage
Purpose-built on FAIR and aligned with the ISO 31000 risk management process, this capability allows risk analysts to:
- Ingest ad-hoc inputs such as audit findings, security policy exceptions, community threat alerts, zero-day disclosures in RiskLens for rapid analysis
- Quickly define, document and utilize the potential loss events related to these inputs
- Run a quantitative risk analysis of these potential loss events in 15 minutes or less and determine the probable financial loss exposure
2. Triage for magnitude: Where is my highest loss exposure?
Among the chosen scenarios, RiskLens reporting can help you to quickly assess and understand where your highest exposure lies. What threats should you really be concerned with – for instance, Vendors or External Malicious Actors? Should you be concerned more about the cloud or databases containing PII? What about effects – should your organization focus more on protecting data or keeping your systems online? From the triage, we will be able to answer these questions. Here are some sample reports showing relative magnitude of loss exposure.
Example - Exposure by Threat:
Example - Exposure by Effect:
3. Triage for frequency: What loss events are occurring most frequently?
We hear this called death ‘by a thousand cuts’ and every organization has one or five. There may be normal processes that run – legacy systems, customer emails, any manual process – where you are experiencing outages or breaches every day, once a week, whatever it may be. Every time these happen, it may not be a long outage or a huge breach, but these little events add up and could be costing your organization a lot of money. The triage piece of this workshop helps us find those scenarios and flush them out.
4. Ranking your risks: How much in dollars could I potentially lose?
Once we triage all scenarios, we come out with a set of quantitative results and can rank the scenarios by probable loss. We do not use a high/medium/low scale - we are able to assign a frequency and magnitude to this future loss to come out with an annualized loss exposure. Additionally, we are not just producing single-dollar values but a range of probable outcomes. This is a great example of how RiskLens enhances FAIR from a model and taxonomy, and provides a true decision support capability through our platform. It is a great starting point to help us understand what true top risks are. It’s perception versus reality. We have our moved from our perceived top risks to the reality of risks that we should be concerned about.
A RiskLens Top Risks Report
5. What are the next steps?
The RiskLens Professional Services team will coach you on next steps based on our experiences with other clients and peers in your industry. We may suggest you do a deeper dive on the RiskLens platform into your top five risks to get a more precise understanding of how much risk you face by gathering more data from the business and relevant stakeholders. Maybe one scenario really stands out and that is where you should start to focus your security efforts. Additionally, if you have certain objectives you’d like to achieve after this – reporting to the board, validating investments/projects, etc. we can help you achieve those.