Throughout my career in cyber risk management, I've had numerous conversations with CISOs regarding risk and controls. One of the topics that I've covered time and time again is how to ensure the organization's controls address their top risks.
Since many frameworks out there are heavily driven by controls, there is a tendency to take a bottoms-up approach to assessing a security landscape. And while I'm not discounting the rigor behind this approach, evaluating every control gap, security weakness, and asset in one's environment is no small feat. At some point, the law of diminishing returns must be factored into the equation.
Rachel Slabotsky is Senior Manager, Professional Services, for RiskLens
RiskLens helps organizations quantify loss events in financial terms, taking a top-down approach to risk management. Below I will summarize some of the key benefits of taking a top-down approach to help inform decisions relating to controls optimization:
Efficiency - Identify Cyber Risks
The first step in this top-down approach is identifying and prioritizing the most probable and impactful loss events that make up the organization's risk landscape. The RiskLens platform’s Rapid Risk Assessment capability helps CISOs accomplish this objective in less than one week.
The efficiency of this approach is due to the following:
- Structured interviews applying the FAIR standard to translate what keeps executives up at night into quantifiable loss events
- Guided workshops and data libraries in the RiskLens platform that allow organizations to rapidly evaluate the frequency (probability) and magnitude (impact) of each loss event
The RiskLens platform leverages industry data and inputs from the organization to generate produce flexible, customizable reporting in financial terms, as in the example below:
Learn how RiskLens can help your organization understand and communicate cyber risk in business terms. Talk to a RiskLens expert.
Prioritization - Focus on Risk Reduction
Identifying and prioritizing your organization's greatest loss exposure in financial terms helps CISOs focus on what matters most - the controls that have the greatest impact on top risk. Current approaches that rely on existing controls and frameworks can sometimes fail to make that connection.
In other words, rather than spending time understanding every control gap and weakness in your environment, you can save time and also better prioritize investment opportunities by taking a step back and asking the following questions:
- Does this control gap tie back to one of our top risks?
- If so, to what degree would this impact our top risks if we were to remediate?
RiskLens' Risk Treatment Analysis capability allows organizations to assess and compare risk treatment options and demonstrate the ROI of controls investments for reducing cyber risk, which allows you to focus on the impact of each identified control as it relates to your top risks. Below is an example of the decision-making capabilities of this feature:
Credibility & Defensibility - Report Cyber Risk in Financial Terms
Taking a top down risk-based approach to prioritizing controls helps to:
- Establish credibility by ensuring that input is gathered from experienced members of leadership. The added benefit of reporting risk (and the resulting reduction from implementing controls) in financial terms helps to build a case with the business.
- Drive defensibility by communicating results that are backed by a blend of industry data (provided by RiskLens/third parties) and internal data from your organization. The RiskLens platform offers guided workflows and data libraries covering frequency and impact of cyber loss events in re-usable formats that greatly reduce time-to-results from analyses.
RiskLens helps organizations better justify, prioritize and manage the cybersecurity investment decisions and risks that accompany digital growth and transformation. Schedule a demo of the RiskLens platform.