At RiskLens, we really like the saying "There are two kinds of forecasters…those who don’t know and those who don’t know they don’t know." Certainly, none of us could have predicted the year that 2020 would turn out to be. We faced a global pandemic, changing risk landscape, regulatory updates, in addition to many more business challenges. All while working from home.
What we do at RiskLens is help organizations make better cybersecurity investment decisions by quantifying cyber risk in financial terms – and in 2020, that created a lot of interest in a world where risk seemed out of hand. Below are the top five questions that customers asked in 2020 and some resources to learn more about risk-based decision-making.
Mary Laura Samples is a Risk Consultant for RiskLens
How can risk quantification help us respond to challenges introduced by the pandemic?
Working from home has increased security challenges, such as rapid increases in VPN use and and uptick in phishing attacks, while the turbulent economy has made making security investment decisions increasingly difficult.
Cyber risk quantification enables companies to determine the amount of risk, in dollars, that their organization faces because of these security challenges. Having that risk quantified in financial terms enables leadership to make better decisions on where that limited security budget should go. The same goes for other questions that have been asked in this current environment, such as whether or not to migrate a specific workload to the cloud. We can compare the risk of cloud migration to the current state of risk, as well as the total cost of the migration, to make a compelling business case rooted in numbers.
For more details on each of these points, check out these blog posts:
- Cyber Risk Analysis for Unpatched Endpoint Vulnerabilities and More Remote Work Security Challenges
- Three Steps to Evaluate Security Risks of Cloud Migration
- Cyber Risk Uncertainty is Dangerous in Turbulent Economic Times
How can I use risk quantification to prioritize my risk management efforts?
Oftentimes, organizations have an idea of what their biggest risks are, but distinguishing between the top few and building concrete business cases is a different story. Quantifying risk in financial terms opens up possibilities to compare risks in a meaningful way. Gone are the days of distinguishing between two "High" risk scenarios based on a maturity score of 1-5. Instead, we can compare a $1 million risk scenario to a $500,000 risk scenario.
The easiest place to start is using the Rapid Risk Assessment capability within RiskLens, which makes FAIR analysis much faster and easier, enabling you to quickly quantify risks in 15-30 minutes. The result is a stack-ranking of your risks, which allows you to dive in further to those that sit at the top. From there, you can use the Risk Treatment Analysis to determine how much different risk treatments can lower those top risks, and which have a stronger ROI for reducing risk. I recently helped a client determine that they could reduce their risk for a scenario by 93% by implementing a control that cost almost nothing, instead of investing thousands in a technology solution that would reduce it by 96%. This extends to beyond control investments as well. The same concept applies to bug remediation, audit findings, and policy exceptions.
Here are some blog posts that expand on these use cases more specifically:
- 3 Steps to Prioritizing Control Investment with RiskLens Rapid Risk Assessment
- RiskLens Introduces Risk Treatment Analysis
- Benefits of Using RiskLens to Prioritize Bug Remediation
- Reacting to IT Audit Findings - Get Ahead of Them with Cyber Risk Quantification
- How to Quickly Assess Your Organization's Top Infosecurity Risks
How can risk quantification help us meet regulatory requirements?
Most compliance standards require a formal risk assessment process, but don't provide much guidance on how that risk assessment should be performed. In order to meet these requirements, many organizations align their programs to frameworks such as NIST CSF, ISO, and COSO. Because FAIR provides a consistent, accurate and defensible method of measuring and reporting information security risk, it augments frameworks in a way that both meets regulatory requirements and drives maturity.
For more information on how FAIR integrates with specific regulations and frameworks, take a look at the following posts:
- Quantify Risk Assessment for PCI DSS, HiTrust, GDPR and More Standards
- Case Study: RiskLens and FAIR Satisfy HIPAA Risk Analysis Requirements
- 10 Ways RiskLens Can Help Implement COSO's Cyber Guidance
- NIST Recommends FAIR for Integrating Cybersecurity with Enterprise Risk Management
Ransomware is everywhere - what is our risk?
According to the 2020 Verizon Data Breach Investigations Report, ransomware is "a big problem that's continuing to get bigger". Successful attacks on education, municipal governments, healthcare, and more have made headlines this year. No business seems to be exempt.
Organizations can quantify the risk that ransomware poses to their business by first analyzing the risk for their most critical “crown jewel” assets. Those analyses can then be aggregated within the RiskLens platform to give a bigger picture of what the risk is across the scoped applications. Furthermore, a Risk Treatment Analysis can be done in order to identify how much that risk could be reduced if the organization were to implement certain changes.
The below blogs provide more details on how you can quantify the risk of ransomware attacks:
- Case Study - Healthcare Organization Sets a Strategy Against Ransomware
- Case Study - Manufacturer Makes Risk Based Decision on Ransomware Controls
Risk quantification sounds great… where do we start?
Maybe after reading through the above questions, you find yourself wanting to answer them for your organization, but don't know where to start. RiskLens offers proof of value engagements that can meet your needs at any level. These are designed to showcase the functionality of the RiskLens , help focus in on an initial business pain point to drive immediate value, take a hands-on run at quantitative risk analysis and management, and show how a risk management program can be operationalized and integrated into your organization's processes and culture.
After this, there are many roads that a program can go down, and RiskLens has helped hundreds of large companies flexibly build and support their roadmaps based on their unique needs and starting points. From adopting FAIR and risk quantification, to scaling it across the organization, our team has the experience to help organizations be successful in quantifying their risks to make better cybersecurity decisions.
To learn more about how risk quantification adoption and implementation, check out these blog posts: