RiskLens Chief Scientist and creator of the FAIR model, Jack Jones, recently conducted a survey of FAIR Institute members that asked some penetrating questions about the maturity level of their cyber risk analysis and risk management practices.
Five of the questions in particular point the way for a CISO or CIRO looking to evaluate the effectiveness of a risk team. Try these for a pop quiz on your team:
1. How is our visibility into assets?
Organizations need to know where their assets (systems, applications and databases) are and what their value/liability characteristics are, especially the “crown jewels” that are critical to business processes. Easier said than known.
A strong program maintains an up-to-date inventory; an audit would find no more than 5% of the entries were inaccurate overall, and should be 100% up-to-date for crown jewel assets.
2. How is our visibility into controls?
Best practices dictate regular testing of controls (including authentication, access privileges, log monitoring, patching, etc.) but in a disciplined, risk-based way. As Jack writes, controls testing should be "more frequent for assets that are of higher value, face a more active threat landscape, and that undergo more frequent changes.”
3. How is our visibility into threats?
Ideally, an organization has threat intel specialists on staff or from outsourced resources who closely monitor threat activity and trends specific to the organization and its industry, particularly watching for changes in the frequency or sophistication of attacks.
At least, an organization should be collecting industry threat information from industry sources such as ISACs.
4. How good is our risk analysis model?
Every risk measurement leverages a model of some sort, from the often uncalibrated mental models of individual professionals to formal models that have stood the test of time.
The RiskLens platform is built on FAIR (Factor Analysis of Information Risk), the international standard model for cyber risk quantification. FAIR practitioners work at nearly 30% of Fortune 1000 companies (judging by the membership in the non-profit FAIR Institute). Analysis based on the FAIR model yields consistent, defensible results in the financial terms that work best in business communication.
If your team is still relying heavily on “mental models”, in other words, qualitative, non-financial estimates developed without meaningful rigor, point them to FAIR.
5. Do we run down root causes?
When conditions are found that don’t comply with the organization’s security policies, does the team make an effort to discover the root causes for non-compliance?
Although it's common for root cause analyses to be performed on major loss events, rarely are root cause analyses performed on control deficiencies. Yet, most organizations struggle with a form of " risk management groundhog day" – wrestling the same control deficiencies repeatedly. Common examples are missing patches, inappropriate access privileges, shadow IT, etc..
A truly excellent team would perform root-cause analysis on a significant percentage of non-compliant conditions (especially the repeatedly troublesome ones) and would maintain a portfolio of root-cause analyses to reveal and correct the underlying systemic causes, Jack writes.