Webinar: The 4 Stages to Launch a Cyber Risk Quantification Program

By Jeff B. Copeland | May 1, 2019


In this listen-on-demand webinar, Chad Weinman, Vice President, Professional Services, for RiskLens and one of the most experienced trainers on the planet for Factor Analysis of Information Risk (FAIR), shows you how to think through the introduction of a cyber risk management program based on FAIR quantitative risk analysis—emphasis on “think”.

As Chad describes the process, FAIR adoption isn’t about plug-and-play, it’s a change in mindset that can include confronting some of the misguided practices of the past. Chad calls out five stages of this journey:

1. Define Your Purpose

Ask such questions as
  • Why are you building a risk program?
  • Who is your audience?
  • What decisions will be supported by your risk assessments?
This questioning should help you avoid Risk Register Syndrome, in which risks are filed away in a register with no follow-up. Chad recommends creating a very specific mission statement, such as “We will analyze the top infosec initiatives for next year and report on their value to the business and regulators.”

2. Reflect on Your Current Situation

Ask yourself what your program is now – even if you think you don’t have a program, you have one, says Chad, because risk decisions are being made, if by the seat of the pants. And honestly ask what are your biggest challenges:  No consistency? No reporting? No defined audience?

3. Set Your Course by Your North Star

Your guiding light should be your vision of the wildly successful program you will be running in two years, built around two or three themes for instance, a program that
  • Speaks to the business in dollar terms
  • Uses an objective, data-driven approach
  • Is efficient and right-sized for the assessment type

4. Enable with the Three P’s

That’s People, Platform and Process. For the people, it’s critical to get the team trained on FAIR so they share a common definition of risk. You need a platform (like RiskLens), Chad argues, because you can’t run true risk quantification on do-it-yourself spreadsheets or other solutions. Your process should be guided by your North Star and integrated with the platform – then get it out of the box quickly and show the organization what you can produce, Chad advises. After launch, be sure to “rinse and repeat,” he says. “So often organizations make a great start, they identify their top five risks but then they too quickly try to move on to something else. You want to find that goal and then refine it…Risk is never analyzing it once, then never again.”
Chad's Professional Services team is dedicated to leading clients through the journey to objective, data-driven risk management. "We want to help you through the process but never leave you reliant on us," he says. Learn more about RiskLens enablement services.
The FAIR model for cyber risk quantification is in use at over 30% of Fortune 1,000 companies. Learn more about FAIR training through RiskLens.
Contact Us for a RiskLens Demo

Fill out the form below to view the webinar: