I’ve shared leadership characteristics that will help with program launch and continuity (CISOs: Ensuring a Successful Quantitative Risk Management Program Start) – but what other challenges have clients experienced and how can you get past them?
When risk leadership is not championing the program, risk analysts may be trying to determine the analysis that will be most interesting to their leadership to get them to take notice.
The key is to get risk leadership involved with the question at hand. They have business problems to solve -- whether it be reporting the value of top risks, determining where to focus scarce resources and/or choosing the best security investments—that will suggest risk scenarios to analyze.
Author Leanne Scott is a Customer Success Executive for RiskLens
Seeking the Perfect Use Case
Sometimes risk leadership tries to determine the perfect area to apply technology risk quantification. Make sure they know the value proposition of quantitative analysis – then just start. Select a decision that needs to be made and use quantification to inform it. The lessons learned in doing analyses and seeing results will help you hone your use cases for more analysis work.
Trying to Collect Ever-better Data for Every Possible Rule, Configuration, Possibility or Exception
FAIR analysis aims for “a useful amount of precision” but that can mean different things to different people. Gathering inputs for quantitative analysis again and again is not valuable, and the impact on analysis results are negligible.
Start with using your library of data helpers in the RiskLens platform and modify the more custom inputs (for a walk-through of data helpers and all the other time-saving tools in the platform, watch this video: Maximizing RiskLens Efficiency). Do the results make sense? Will a few thousand dollars either way make a difference? If not, you are likely at the right level of effort.
Starting from the Bottom Up Instead of the Top Down
A bottom-up approach could include:
- Quantifying items in your risk register. This is often difficult and slow because risk register entries generally require a lot of clean-up and reframing to delineate loss events.
- Tackling vulnerability management. While a worthy cause, and RiskLens can advise on a method, there are other use cases that can provide value more easily and quickly. Quantifying vulnerabilities is a more complex use case that is better addressed when your analysts are experienced and comfortable in quantifying technology risk.
Consider switching your approach. The most common way to start with quantitative analysis is a top-down approach. Identify risks at the enterprise or a business unit level. Use triage to identify your top ten risks and then rely on data helpers to drill down one level further in accuracy. Choose the one or two risks you want to mitigate and use quantification to evaluate two or three alternative solutions or controls to determine the best ROI. Presenting your top risks to leadership and the impact of mitigation options will make people take notice, and it can be done in a reasonable amount of time.
Ask for Help
Whether internal or external, sometimes another set of eyes and ears can help. With anyone in the GRC space within your company, talk through your project and your goals. Batting around ideas and looking through a “Does this make sense?” lens can be eye-opening as well as cathartic.
Also, RiskLens cyber risk quantification consultants have the experience to focus your efforts on what has worked with other clients. If you are not getting value from your quantification program on your own, you need to start getting value and expert help may be the quickest route.
See the benefits of cyber risk quantification for yourself. Let us give you a RiskLens demo