The annual Gartner Security & Risk Management Summit is always a good read on the state of the CISO profession, and this year’s conference “Balance Risk, Trust and Opportunity in an Uncertain World” validated a key premise of FAIR™ analysis and RiskLens FAIR-based solutions: To make difficult tradeoffs, CISOs must communicate risk in business terms that clarify strategic decisions.
“Enterprise product portfolios are changing on the fly and increasing our risks,” Gartner VP Analyst Jeffrey Wheatman said in the keynote address. CISOs have a “fundamental role” in defining the path forward on this digital transformation, he said.
“Security leaders are focusing on re-prioritizing projects and initiatives, dropping some while adding and accelerating others. All the while trying to hit the moving target of risk appetite.”
With FAIR quantitative cyber risk analysis and the RiskLens platform, security teams can get a fix on the relative value of initiatives for risk reduction in financial terms to compare one to another – and plot that against risk appetite.
Gartner VP Analyst Jay Heiser, in his speech on Leadership Vision for Security & Risk Management 2021, urged CISOs to “Explain risks in terms of a business problem, such as loss of intellectual property, downtime or reputational damage. Then outline how you address those risks, for example, through sensitive data protection, resilience of critical systems and robust crisis and incident response.”
That pretty much defines the value of FAIR analysis for risk professionals in speaking to business decision-makers in business terms. This is consistent with Gartner’s recognition of Risk Quantification and Analytics as one of the five pillars of Integrated Risk Management, the risk-aware approach it has been successfully promoting as the next evolutionary step up from the simple checklist approach to GRC management.
Other sessions at the Gartner Summit got into the details of business-aligned cyber and technology risk management:
“Model Your Risk Assessment on the Digital Business Runway”
“Five Cost-Optimization Techniques Security and Risk Leaders Must Use in Uncertain Times”
“CISO Circle: Risk Quantification - What Works and What Doesn’t”
Although Gartner doesn’t endorse products, it does have a history of recognizing RiskLens and FAIR analysis in its reports, as we‘ve covered in blog posts:
RiskLens Named in Gartner “Competitive Landscape: Integrated Risk Management” (IRM) Report
Hype Cycle Reports by Gartner Cite RiskLens for ‘Financial Data Risk Assessment’
Challenging as this pandemic period has been, it’s also for CISOs “a glorious opportunity to enable our organizations to be stronger,” Wheatman said -- if, as the Gartner conference strongly implied, CISOs equip themselves with the right analytical model, solutions and capabilities for business-aligned risk management.