Sometimes the Best Cybersecurity "Control" Is a New Hire

January 22, 2019  Tim Wynkoop

I was recently asked if Factor Analysis of Information Risk ( the FAIR model) could be used to save time. Interesting conundrum. Usually, a FAIR analysis is used to save money: Compare the probable cost of loss events to the cost of controls for a clear picture of potential return on security investments. By controls we often mean some product or service: two-factor identification, data loss prevention, etc.

But time is money in business, as the old saying goes. A lot of organizations want to operate in a very “efficient” way (with as little staff overhead as possible).  I am all for lean operations and smart ways of doing business, but how do you manage that along with not over-working (insert other “over” word here) your employees?

Could FAIR actually be used to figure that out?  Let me see if I can bring you into my thought process for a moment.

To start let's ask a couple questions:  Why is staff time scarce?  Are our processes efficient as they could be?  Do we have enough staff to begin with?

These questions seem more philosophical than practical.  Before you start listing all of the potential negative answers to these questions let's think about it logically.

Why is staff time scarce?

There could be a number of reasons for this; it could be that our business has grown so rapidly it hasn’t been possible to get people to fill the position fast enough or the people we have in those positions may not have enough resources to do their job.  I am in no position to answer why your staff time is so scarce but I can ask,

What if you added an additional person or improved a process--would it help to save staff time and in turn save money?

Recently, I was working with a clothing manufacturer to run a specific IT-related risk scenario.   After running the scenario to show how much loss exposure their organization faced, we ran into a problem: How to deal with it? They didn’t know.

After much thought and discussion, they determined a possible solution would be to hire an additional person to help monitor the logs (as the monitoring of these logs were becoming more important) of this particular IT system and in turn improve their log monitoring process.

As we talked it over, they got to thinking about this type of "control" idea more.  Not only would improving this process help reduce their Annualized Loss Exposure by about $200,000, they felt they could hire someone for less than that and still have a risk reduction.

In doing some research for their organization they found:

  • Hiring a worker would cost around $4,000
  • Training for that employee could be between $1,200 - $1,800
  • The annual salary plus benefits for the type of position required would be around $60K - $80K annually

But could there be other cost savings?

Currently, they had no one whose job was to specifically monitor the logs.  It was a couple people’s secondary, third or fourth responsibility to do.  The problem was it would always get pushed to lower end of the priority scale.

The team thought that if they hired an additional person specifically for monitoring the logs, that person could also serve as a backup for other functions.  The benefit for the others who had the additional responsibility of monitoring the logs was that they were able to focus their efforts on their other functions as it would free up some of their time.  These people were already working 10, 11 or 12 hour days just to stay afloat.

The team was able to show the decision makers that adding an additional FTE would improve more than just their risk posture, but also improve the quality of life for the other employees.  This was something they weren’t able to do in the past because, as in risk management, they were using just a finger in the wind to try to make their case.

So yes, you can leverage the critical thinking skills you learn as a FAIR analyst to help you solve this problem, with the RiskLens platform to put some numbers around it–-and truly evaluate best ROI on security investments, human or otherwise.


Right-Size Your Cyber Risk Team in 4 Steps