Here’s something I’ve learned using the FAIR model (and the RiskLens application) to help companies understand and measure their cyber risks: A successful risk analysis depends not just on software but the soft skills of clear thinking and clear communication.
In the infographic below, I named five of those skills that successful risk-aware companies develop. They may sound basic, but you’d be surprised at how difficult they can be to put into practice.
For instance, #1 “Find a Common Language” for discussing risk: The typical corporate Top 10 Risks list isn’t really a list of risks but a mixed bag of technologies (like cloud computing), threats (like hack attacks) and concerns (like organizational change). You can’t manage what you can't measure, and you can’t measure what isn't defined. The process of FAIR analysis solves this common problem.
5 Key Tasks in a Risk Assessment
Based on the FAIR Model
- FIND A COMMON LANGUAGE: You wouldn’t fly on a plane if aerospace engineers couldn’t agree on how to measure speed or velocity. The same should apply to risk analysis. Your organization needs to agree on a standard definition of risk.
- CALL IN THE EXPERTS: When you measure the risk associated with anything within your organization, you can’t assume you will know all the answers. Find the SME's with data specific to what you are measuring. Get the right people around the table to help.
- DOCUMENT ASSUMPTIONS: Always make the assumptions behind your analysis clear. Not only will it ensure everyone is on the same page, it will help you defend your conclusions.
- KNOW POSSIBLE FROM PROBABLE: Yes, anything could happen but not everything will happen to your organization. Determine if your industry should even be worried about a particular threat event. You're likely more at risk from general hackers than rogue nations.
- COMMUNICATE CLEARLY: When you are presenting the results of your risk assessment, know your audience. Don’t use too much technical jargon. Stick to the common language of business: dollars and cents.