How to Set Effective Goals for Your Cyber Risk Program

By Steve Tabacek | January 24, 2019

Henry Ford once said, “If I asked customers what they wanted, they would have said a faster horse.”  He instead went deeper and focused on understanding what job the customer was trying to do: Get from point A to point B safely and in the shortest period of time. If RiskLens asked what our customers wanted, they may have initially asked for improvements to their existing qualitative analysis process–-better heat maps or other imprecise tools. Instead, we went deeper and focused on functional jobs our customers were trying to do, and how they could analyze those jobs in quantifiable, bottom-line terms. At RiskLens, we are inspired by the  “Jobs-to-be-Done” Theory as a way to sharpen the focus on true customer needs, ensuring that we deliver a platform that successfully targets a quantitative risk analysis program to an organization's core functional jobs.  Jobs-to-be-done Theory provides a framework we have adapted for categorizing, defining, capturing, and organizing your objectives.  We then tie your defined performance metrics (in the form of desired outcome statements) to the Job-to-be-Done. Jobs-to-be-done are defined with a very specific sentence syntax, specifically "job statement = verb + object of the verb (noun)."  The job statement leads to one or more outcomes.

Jobs-to-be-Done Methodology for Cyber Risk Assessment

 Jobs-to-be-Done Outcomes
Educate stakeholders on the FAIR model (our quantitative analysis method) while phasing-in quantitative risk analysis to standard operating procedures
  • Complete executive briefings showing credibility of FAIR-based quantitative risk analysis to earn executive support
  • Achieve base FAIR certification for mid-level managers and risk analysts (enabling them to produce analysis reports)
  • Internal audit validation of risk analysis reports (establishing credibility of analysis work)
  • Win overall cultural acceptance of FAIR analysis by alignment with corporate ERM practices
Analyze GRC risk register “high” findings to determine mitigation prioritization
  • Re-express register findings as FAIR compliant risk scenarios; clearly articulate assets, threat actors, and threat effects
  • Translate risk to the language business leaders understand: dollars and cents
  • Pre/post mitigation options to show mitigation cost, original loss exposure, and post mitigation exposure

Analyze top-10 cyber risks for board of directors  
  • Structure risk reports as scenarios
  • Quantitative – Express risk in dollars and cents
  • Demonstrate analysis is accurate and credible
  • Set up analysis process to be manpower/resource efficient
  • Provide diagnostic information for mitigation determination
  • Clearly show ROI of mitigation options
Demonstrate compliance  with NY DFS 500.09  financial regulatory standard while managing risk and providing a basis for strategic and tactical mitigation decisions
  •  Build risk analysis process into standard operating procedures
  • Align (defendable) analysis results with mitigation priorities
  • Summarize risk analysis results, customized for audit reporting
 Analyze 3rd party/vendor risk to determine potential loss exposure to the organization  
  • Analyze vendor risk to the organization, based on probable loss event frequency and probable loss magnitude.
  • Report as a summary portfolio of all critical vendors and associated risk to the organization.
 Analyze risk to determine cyber risk insurance coverage amounts  
  • Focus analysis results only on confidentiality breach of all PII, PCI, and PHI data
  • Analyze results for primary response, fines and judgments, reputation, and secondary response loss exposure

Tips for a Successful Risk Analysis Process

  • Focus on “functional jobs” and limit analysis to a finite and achievable scope for your organization.  When defining functional jobs, it’s critically important to document the desired outcomes.  The documented outcomes are the ultimate metrics used to measure the success of your quantitative risk program.
  • Be aware of “emotional jobs” and “social jobs.”  We are not data-driven machines and need to acknowledge humanity and the psychological effects associated with undertaking any major project or initiative.  Emotional jobs define how you or the other organization stakeholders want to feel or avoid feeling as a result of executing the core functional job.  Social jobs define how you or your stakeholders want to be perceived by others.  Most of the organizations that we work with don’t document the emotional and social jobs but do understand those factors play a role in the overall success of the program.
  • Document “Short-term-Win” objectives, when initially defining Jobs-to-be-Done and outcomes.   Many Jobs-to-be-Done definitions are long-term initiatives.  Defining a few short-term goals that conform to the defined outcomes will help the firm recognize success in phases, thus improving emotional and social job factors.
The  RiskLens Professional Services team has worked with companies from every major commercial market sector and has the experience to help you articulate and document your functional jobs, outcomes, and short-term-wins.