We recently spoke with a potential buyer of RiskLens software and services that is already running a home-grown solution for cyber risk quantification based on Factor Analysis of Information Risk (FAIR™) -- with mixed results. A number of RiskLens customers started as do-it-yourselfers, and as the popularity of FAIR grows, we’re seeing more organizations taking a try-before-you-buy approach.
And that’s good. In fact, RiskLens makes available the FAIR-U application free of charge so anyone can try FAIR analysis on a very limited scale, for instance while taking a FAIR training class from the RiskLens Academy. We’re confident that seeing the benefits of cyber risk quantification will whet your appetite for other RiskLens products and solutions:
Get a quick quantitative read on your cyber risk, based on industry, organization size, location, and other factors.
An easy and affordable managed service that helps organizations quickly define, assess, and communicate cyber risks in financial terms with reporting by RiskLens risk consultants using the Enterprise Platform.
RiskLens Enterprise SaaS Platform
The Enterprise SaaS subscription to the RiskLens platform supports fast, risk-informed decisions at any level of the enterprise, from planning a new digital initiative down to day-to-day audit findings.
But to be clear, FAIR is an open standard, certified by the Open Group, recognized by the National Institute of Standards and Technology and other authoritative bodies, and supported by the nearly 13,000-plus members of the FAIR Institute (RiskLens is the technical adviser to the Institute). That’s why FAIR has such high credibility as the model of choice for quantitative analysis of cyber and technology risk.
Because it’s an open standard, FAIR can be run on spreadsheets or DIY apps. But should you do it? As we talked to this potential client, some of their frustrations with their spreadsheet/app solution came to the fore:
Risk Analysis Workflow
Their app is just a calculator, and that only covers one part of a quantified risk analysis. An analyst must jump back and forth from spreadsheets to app to wrangle the elements she needs to scope a scenario for FAIR analysis: assets, threats, loss types, loss events.
>>The RiskLens platform walks the user through the analysis process to build out a scenario with a simple workflow, much like tax software, with the user selecting assets, etc., from dropdown menus.
Data for Risk Analysis
The DIY solution is scattered and amnesiac. To fill out scenarios, the analyst needs to repeatedly pull together data for input from experts around the company.
>>Our emphasis is on data selection not data collection. RiskLens offers extensive pre-packaged industry-specific data and scenarios curated by our data science team to be used with – or in place of – an organization’s historic data. The RiskLens platform also stores a vast array of elements for easy, repeat use in analysis such as assets, risk scenarios, loss tables, risk assessments and data points such as incident response costs, loss event frequency, threat actors and controls strength, to name a few.
Their spreadsheet solution can’t aggregate or compare risk within or among the business units for an overall picture of loss exposure or to confidently identify top risks. To even approach those goals, they must run multiple analyses one at a time, a time suck. More importantly, if they can’t reliably identify top risks, they may have millions of dollars in unknown loss exposure hanging over them or millions more in misdirected risk mitigation efforts.
>>The RiskLens platform’s Rapid Risk Assessment capability in minutes organizes and compares top risks based on ranges for dollar values of probable loss. Webinar: See top risk reporting in action.
Comparative or Cost-Benefit Analyses to Evaluate Risk Treatments
By altering the variables for FAIR factors, they can get a rough idea of the effect of controls or other risk mitigations, then eyeball controls cost figures for some not-very-reliable cost/benefit analysis. It’s an immediate problem: This organization wants to hit maturity goals for the NIST CSF and needs help choosing among the many controls recommended by that framework.
>>The RiskLens Risk Treatment Analysis capability has all this automated, from assessing the baseline risk, to seeing the effect on the baseline of controls or process changes, to inputting the cost figures, to final reporting that compares how various treatment options quantifiably change baseline risk and, the return on investment (ROI) of options
The DIY solution leaves users also doing reporting by themselves, trying to aggregate a series of single scenario results into a coherent picture.
>>The RiskLens platform offers a wide range of reporting functions to view risk from many angles. Use the risk assessment capability to identify and rank risks for loss exposure, create a fast report on a single loss event, get multi-scenario views of one complex risk and more. Use Portfolio Management to understand risks by business unit, type of cyber event, revenue streams, strategic initiatives, crown jewel assets or virtually any other category that fits the needs of the business. Webinar: See Portfolio Management in action.
RiskLens APIs export analysis reporting into executive dashboards, IRMs, GRCs, analytics products and other systems of record, as well as PowerPoint and Excel.
For a DIY solution, this organization is going it alone on support. As experienced FAIR shops know, FAIR is more than a platform – it’s a program, and one that often involves a cultural change to move to risk-based, financially sound cyber risk management.
>>RiskLens fields the most experienced team in the world at setting up a quantified risk management program, from kickoff workshops to give the team hands-on experience with risk analysis, to ongoing support to share the latest insights gathered from the largest customer base of FAIR practitioners.
This organization is already on the way to joining the ranks of RiskLens + FAIR-powered risk management teams. Let us show you the power of the RiskLens platform – schedule a demo.