A Startup Asks: Do We Need a GRC Before We Can Implement RiskLens?

July 29, 2020  Scott Lieberman

We recently helped a client, a well-funded start-up, with a key decision in setting up its security program. The security team was enthusiastic about RiskLens and bringing risk-based cyber and information risk management to the organization. But with a small staff and a lot on their plates, they asked “Wouldn’t the best practice be to onboard a GRC tool as our starting point, and add RiskLens after that was up and running?”

To give away the ending to the story: The team decided to move full speed ahead on its GRC purchase – but implement RiskLens  first.

Here’s why: RiskLens identifies what’s most important, the top cyber risks to focus on to hit corporate objectives and drive effective decision-making in a timely way. The GRC gives them the capability to execute on risk management for what’s important; in other words, form follows function.

Scott Lieberman is a Strategic Account Executive for RiskLens based in Chicago

For instance, the start-up had the typical range of requirements for its GRC, such as:

  • A central place to track information risk management, including risk ratings and action plans.
  • Compliance management with NIST, ISO and other frameworks.
  • Policy exception management.

These requirements had one thing in common: They were the “how” (to manage the workflow), so to speak, without the “what”, prioritized risks to fill out a truly useful risk register.

The only effective way to rank risks is by comparing impact in the quantitative, financial terms achievable with RiskLens analysis, based on FAIR™, the international standard for risk quantification.

Benefits of the RiskLens and FAIR Quantitative Risk Analysis Approach

As we explained, the first benefit that FAIR analysis brings is a workable, consistent definition of risk (or loss exposure) based on a scenario with identified threats, assets and impact. For this client that might be:

Threat: Insider Error

Asset: Intellectual Property Database

Impact: Loss of Competitive Advantage Leading to Loss of Revenue

Right away, that clears up the confusion that often clutters risk registers with items like “the cloud” or “malicious insiders”, things that are more topics of concern than definable risks.

Next, we explained that they needed to understand their risk landscape in order to shape their use of a GRC. We demonstrated RiskLens'  Rapid Risk Assessment capability, a fast, high level way to uncover and rank their top risks based on loss exposure in dollars, particularly affecting their crown jewel assets.

As a starting point, those risks would put some definition and prioritization on most of the processes they hoped to run through the GRC.  

Answering the Objection: We Don’t Have the People or the Data for Risk Quantification

Well and good, they said, but we’re a small team, with limited ability to gather the data and run the analyses for quantification.

We had two answers:

First, you have access to more data than you think. The FAIR method is about estimating probable loss exposure based on data from a variety of sources, including your internal security data, third-party data built into the RiskLens platform and RiskLens proprietary data from thousands of analyses we have run for clients.

Second, once data inputs are provided, the RiskLens platform automatically generates results for probable loss in dollar terms in ranges derived from Monte Carlo simulations—a format your board will appreciate, as it’s a standard in financial projections for risk.

Third, the  RiskLens Services team is the most experienced in the world at set-up and operation of quantitative cyber risk management programs. Our consultants will run a  a top-risks identification workshop with your team members that would enable you to fill out your risk register and get your security team started on risk mitigation right away.

The Risk Management Solution Buying Decision

Finally, the startup’s team came to this conclusion: They wanted a GRC for good tactical reasons, to help with record-keeping and communication among the security and risk professionals. But they also had a strong need to communicate on a strategic level to the C-suite and the board. RiskLens gave them the power to strategize on risk management based on the kind of financial analysis that corporate leadership understands.

When we last checked with this client, they were well on their way to getting the most value out of both their GRC tool and the RiskLens platform and services.