In 2002, the Oakland A’s were the first team to apply data analytics to baseball. They pioneered ways to identify hidden value and to maximize Return on Investment (ROI) when evaluating and investing in baseball talent. Despite competing against teams with budgets up to three times greater than their own, they set a record for consecutive wins and forever changed ‘business as usual’ in baseball operations.
Today, many cybersecurity and risk leaders find themselves in a similar situation to the 2002 Oakland A’s. The well-documented skills shortage and competition for talent within the security field contributes to the challenge of building and operating a program. With plenty of market opportunity, staff churn continues to be a feature of every program and there are associated costs to recruit and retain staff. The number of FTE’s and the level of expertise therefore varies within a team making it difficult to address and balance the workload. Currently, leaders are often outfunded by competitors, fighting for departmental resources, and searching diligently for a financial edge in economically uncertain times.
Author Jon Oppenhuis is a Customer Success Manager for RiskLens, helping clients to adopt, develop, and mature enterprise-level cyber risk quantification programs.
The line cost for the human component is typically the largest operational expenditure of a risk program. For analysts performing risk quantification, security and risk management skills are foundational and more specialized training needs are also required. In addition, job tasks can be fragmented between these areas, reducing time to devote to specialization within a single area. For these reasons, the decision about whether and to what extent a service provider will assist from a staffing perspective is always a strategic consideration.
From a governance perspective, organizations frequently do not base a multi-year risk program on a mature business case capable of delivering ROI. Many companies will fund and run a risk quantification program without a documented model for oversight and without ever considering the financial returns on the program itself. This can result in over-investing or under-investing in resourcing. Naturally, this lack of governance creates risk, drives up costs, limits ROI, and impedes progress even for a highly proficient team with tenured analysts.
To address many of these challenges and to help clients define and meet their success criteria, RiskLens has proven ways to enable strategic resourcing and to implement an effective governance model. This programmatic approach consists of eight primary components to establish, measure, manage, and grow a risk quantification program during each phase of maturity.
The Eight Components of the Programmatic Approach
1. RiskLens Dedicated Resources with Executive-Level Oversight
RiskLens provides dedicated resources to ensure a close and effective partnership with its customers. Each RiskLens account is assigned a dedicated Customer Success Manager serving as a single point of contact for account management. Dedicated executive-level contacts at the Director and VP levels are also provided to bring access, visibility, and engagement between RiskLens and client leadership.
Additionally, a single point of contact from the Professional Services team will be assigned for the duration of the program. This oversight enables the individual consultants to become more informed about the specialized nature of each organizational context and to establish an embedded relationship with risk team members and company leadership. Every member of the consulting organization is a certified, experienced expert in risk quantification and highly proficient in the breadth of capabilities of the RiskLens platform.
2. Quantifiable Return on Investment (ROI) and Time to Value (TTV) with Productivity and Team Stability
An organization new to risk quantification faces a decision on whether to staff the program exclusively with internal resourcing or to obtain staffing from an external source. For programs seeking staffing assistance, RiskLens offers options including managed services and multiple levels of professional services consulting. In addition, some level of consulting will typically be advantageous at some point for every customer regardless of the long-term staffing model.
With the consulting approach, a company may aim for a short-term or long-term engagement. In the first year of a multi-year engagement, RiskLens consulting typically focuses on team enablement to develop the skills of in-house risk analysts. During this initial year, the customer risk team will make significant strides to strengthen independent capabilities and to establish program self-sufficiency. The work activities beyond the first year will be directed more to program expansion with a greater number of risk assessments, a more varied set of use cases, and a growing internal audience for quantitative risk reporting.
RiskLens consultants are highly trained, with full-time experience working in hands-on analyst roles in risk quantification programs for all sizes and types of companies. Reasonable estimates indicate the productivity of the average RiskLens consultant is at least 2X greater than the average risk consultant in an enterprise risk program. This productivity gain for a percentage of resourcing provides significant ROI when built into a program’s business case and is magnified in multi-year scenarios. RiskLens consultants can also be deployed to accelerate TTV when clients intend to collapse project timelines or to demonstrate value to executives with Quick Wins.
For these reasons, many companies choose to embed RiskLens consulting into their own team, even when the program is viewed as a strategic in-house capability. The RiskLens consulting presence not only ensures ROI and TTV through greater productivity but also provides a hedge against future staff churn. The presence of the RiskLens consultant replaces the need for equivalent in-house staffing of an advanced-level analyst. If a key analyst departs, the RiskLens consultant can train a new team member rapidly. Also, the existing team of analysts may be less likely to churn knowing they have ready access to the advanced skills and training opportunities offered by the RiskLens consultant. The RiskLens consultants not only ensure quantifiable ROI and TTV but also produce greater team stability.
3. Independent Reference with Third-Party Validation
RiskLens will upon request provide a management-level reference from a large well-known enterprise company that is a current client and has used RiskLens professional services. Prior to contract, RiskLens will provide contact information to permit a direct client-to-client conversation. This will provide leadership with a greater level of understanding and trust in the proven capabilities of RiskLens consultants from an impartial third party.
4. Governance Workshop to Establish Program Charter
A complimentary governance workshop will be conducted by a RiskLens Professional Services Manager and a Customer Success Manager with participation and oversight by a RiskLens executive. Participation from at least one of the client’s risk leaders is required along with the core risk analyst team, as well as voluntary involvement from as many relevant program stakeholders as desired by client leadership. The outcome of this workshop will be a current and fully-developed Program Charter. This charter is the first step in a more complete governance framework that RiskLens recommends and implements at no cost to all of its clients.
5. Training Plan with Learning Objectives to Set and Track Instructional Success
The RiskLens consultants will perform a needs analysis of a client’s risk quantification program to determine and prioritize the training and coaching requirements that will contribute to program success. The findings of the needs analysis will be used to develop a training plan with a set of high-level learning objectives which are used to establish a baseline, demonstrate progress, and track the level of success.
6. Training Curriculum and Resources
Consistent RiskLens account support permits the RiskLens consultant to gain a deep understanding of the individual training needs and progress of each member of the client’s risk team, as well as a view into the success criteria of the program as a whole. This understanding provides a platform for individual coaching tailored to the guidance and improvement of analysts performing quantitative risk assessments using custom workstreams within individual environments.
A set of Education Subscription seats is provided with every new/renewed RiskLens contract. This RiskLens repository targets the analyst audience at every skill level and consists of playbooks, white papers, guidebooks, webinars, and reference guides. This includes 100+ video modules, 20+ on-demand courses, and 6+ Learning Paths that can be used to design a program-specific training curriculum for analysts. The Education Subscription content is supplemental to instructor-led coursework on FAIR, RiskLens Platform Training, and Risk Reporting that can also be framed within learning objectives.
7. On-The-Job Training and Hands-on Guidance
RiskLens consultants can also provide training that is customized to be directly applicable within the risk team’s daily workflow. While the instructor-led training and Education Subscription lay foundational and on-going coursework, there is no substitute for hands-on and platform-based guidance working directly on real-world assessments to develop risk assessment skills and strengthen analyst confidence.
The RiskLens consultants have been trained in how to coach analysts to facilitate individual growth and to foster self-sufficiency and can offer this on-the-job assistance both to individuals and to groups. The enablement process aims to provide training and coaching whereby analysts grow professionally and at the same time build in-house strategic capabilities into the client’s risk quantification program.
8. Value Assessments to Monitor Progress
RiskLens will provide complimentary Value Assessments led by a dedicated Customer Success Manager to ensure additional and ongoing governance beyond the Program Charter. The Value Assessment process will monitor the progress and maturation of the risk program. Specific success criteria with targets for progress on team training and enablement will be highlighted. Direct feedback from the client’s leadership and risk analyst team members is also encouraged.
In addition to a formal monthly touchpoint with the client’s core risk team to track developments and progress, the governance process typically includes a bi-annual meeting with executives from both companies. This provides an opportunity to bring executive-level attention to any program shortcomings as well as to measure and highlight team accomplishments
Let RiskLens help you build a quantitative risk management program. Contact us.
In Moneyball, the film portrayal of the 2002 Oakland A’s, General Manager Billy Beane said: “If we win, on our budget, with this team, we will have changed the game.” The eight primary components of the RiskLens approach provide a winning model tailored to each program and able to change the game for risk teams today.
Over the past decade working with hundreds of organizations, RiskLens has found the most successful programs have implemented a well-planned staffing model and documented a formal governance framework.
From the initial development of a program charter to the measurement and monitoring of program performance, the well-established processes provide a practical and cost-effective way to optimize the use of the RiskLens platform and to operate a high-functioning risk quantification program.
The RiskLens model for strategic staffing and governance helps clients to build programs that move beyond the mechanics of risk quantification to enable well-informed decision-making that is actionable and leads to valuable business outcomes.