Jobs-to-be-Done |
Outcomes |
Educate stakeholders on the FAIR model (our quantitative analysis method) while phasing-in quantitative risk analysis to standard operating procedures |
- Complete executive briefings showing credibility of FAIR-based quantitative risk analysis to earn executive support
- Achieve base FAIR certification for mid-level managers and risk analysts (enabling them to produce analysis reports)
- Internal audit validation of risk analysis reports (establishing credibility of analysis work)
- Win overall cultural acceptance of FAIR analysis by alignment with corporate ERM practices
|
Analyze GRC risk register “high” findings to determine mitigation prioritization |
- Re-express register findings as FAIR compliant risk scenarios; clearly articulate assets, threat actors, and threat effects
- Translate risk to the language business leaders understand: dollars and cents
- Pre/post mitigation options to show mitigation cost, original loss exposure, and post mitigation exposure
|
Analyze top-10 cyber risks for board of directors |
- Structure risk reports as scenarios
- Quantitative – Express risk in dollars and cents
- Demonstrate analysis is accurate and credible
- Set up analysis process to be manpower/resource efficient
- Provide diagnostic information for mitigation determination
- Clearly show ROI of mitigation options
|
Demonstrate compliance with NY DFS 500.09 financial regulatory standard while managing risk and providing a basis for strategic and tactical mitigation decisions |
- Build risk analysis process into standard operating procedures
- Align (defendable) analysis results with mitigation priorities
- Summarize risk analysis results, customized for audit reporting
|
Analyze 3rd party/vendor risk to determine potential loss exposure to the organization |
- Analyze vendor risk to the organization, based on probable loss event frequency and probable loss magnitude.
- Report as a summary portfolio of all critical vendors and associated risk to the organization.
|
Analyze risk to determine cyber risk insurance coverage amounts |
- Focus analysis results only on confidentiality breach of all PII, PCI, and PHI data
- Analyze results for primary response, fines and judgments, reputation, and secondary response loss exposure
|