>>Set Yourself Up for Success
Before you can get back into your analysis, you first need to make sure you have an environment that is going to encourage productivity. If you aren’t used to working remotely, here are a few tips to get set up.
Once you’ve gotten a handle on your perfect set-up, you’re ready to get back into the swing of quantitative risk analysis! The most important thing to keep in mind is that the same fundamentals of data gathering hold true whether you’re in person or remote, you just may need to tweak the preparation or delivery.
>>Prepare, Prepare, Prepare
The level of preparation for sessions should be the same, or higher, than if the meeting were being held in person. This includes researching the scenario purpose and scope and clearly defining the data points required. When determining what data points are needed, you should be identifying the specific questions you will need answered and who in the organization can answer them.
It is also in your best interest to have more than one possible way in which to gather the data for your estimate. For example, if you need to know the number of times in a given year that there is a successful foothold in the network via phishing, consider a couple of different ways you could get to that answer such as:
>>Send a Detailed Agenda, Not an Email
When at all possible, all data gathering sessions should be held as video conference or phone call, not gathered via email. This is important because it helps to reduce the likelihood of gathering inaccurate or uncalibrated data and allows the analyst to ask clarifying questions and ensure the scope guardrails are maintained.
If time does not allow for the length of data gathering you would like, rather than defaulting to gathering via email, suggest a different meeting time or shorter duration. Thirty minutes on the phone is more productive than a week of ineffective email chains.
Our team abides by the rule “no agenda, no attenda”. In order to make the most of the time you have with your subject matter experts, be sure to clearly document the purpose of the meeting and what will be covered. We recommend including the scenario scope and purpose and the specific data points that you will be estimating. If possible, relate the purpose of the scenario to that specific individual or team to show them why it matters to them specifically. It can also be beneficial to include the ultimate audience of the scenario (i.e. this will be reviewed during the Risk Committee meeting with the CISO).
>>Don’t Take No (Data) For an Answer
It can be all too easy to fall into the trap of agreeing to let the subject matter experts send over their estimates at a later date. This can happen for a number of reasons: They feel they don’t have enough or the right information, they want to look deeper into a specific value or query a tool -- whatever the reason this can lead to huge productivity halts in the analysis process.
This is difficult enough when you can walk past their offices every day with a pointed look until it is sent; it is much more difficult without that face-to-face interaction. In order to keep your analyses from stalling, you should never leave a call without a calibrated estimate. If necessary, the estimate can always be refined later, but by gathering an initial wide estimate you can continue making progress on your analysis while they dig deeper into the values.
At the end of the day, it is the amount of preparation and diligence of the analyst, not their environment, that determines the success of the analyst.
“If the analyst is focused on the right tasks and considerations, and prepares the SME well to have that discussion by being clear about what's needed/sought, then the delivery method, live or remote, becomes inconsequential” – David Musselwhite, Professional Services Manager – Dean, RiskLens Academy