Leadership Focus
When risk leadership is not championing the program, risk analysts may be trying to determine the analysis that will be most interesting to their leadership to get them to take notice.
The key is to get risk leadership involved with the question at hand. They have business problems to solve -- whether it be reporting the value of top risks, determining where to focus scarce resources and/or choosing the best security investments—that will suggest risk scenarios to analyze.
Seeking the Perfect Use Case
Sometimes risk leadership tries to determine the perfect area to apply technology risk quantification. Make sure they know the value proposition of quantitative analysis – then just start. Select a decision that needs to be made and use quantification to inform it. The lessons learned in doing analyses and seeing results will help you hone your use cases for more analysis work.
Trying to Collect Ever-better Data for Every Possible Rule, Configuration, Possibility or Exception
FAIR analysis aims for “a useful amount of precision” but that can mean different things to different people. Gathering inputs for quantitative analysis again and again is not valuable, and the impact on analysis results are negligible.
Start with using your library of data helpers in the RiskLens platform and modify the more custom inputs (for a walk-through of data helpers and all the other time-saving tools in the platform, watch this video: Maximizing RiskLens Efficiency). Do the results make sense? Will a few thousand dollars either way make a difference? If not, you are likely at the right level of effort.
Starting from the Bottom Up Instead of the Top Down
A bottom-up approach could include:
Consider switching your approach. The most common way to start with quantitative analysis is a top-down approach. Identify risks at the enterprise or a business unit level. Use triage to identify your top ten risks and then rely on data helpers to drill down one level further in accuracy. Choose the one or two risks you want to mitigate and use quantification to evaluate two or three alternative solutions or controls to determine the best ROI. Presenting your top risks to leadership and the impact of mitigation options will make people take notice, and it can be done in a reasonable amount of time.
Learn more:
Think Fast - Justify and Prioritize Cybersecurity Investment Decisions in an Hour
Webinar: How RiskLens Helps CISOs Prioritize and Justify Cybersecurity Investments
Ask for Help
Also, RiskLens cyber risk quantification consultants have the experience to focus your efforts on what has worked with other clients. If you are not getting value from your quantification program on your own, you need to start getting value and expert help may be the quickest route.
See the benefits of cyber risk quantification for yourself. Let us give you a RiskLens demo