The Cyber Risk Quantification (CRQ) platform from RiskLens is designed for CISOs who want to build a quantitative risk management program based on cost-effective, business-aligned decisions on cyber and technology risk – and want to communicate about risk in the financial terms that the rest of the business understands.
We mean what we say, but as a company of critical thinkers, we love when people challenge us to prove it! If you’re looking for a way to “kick the tires” and put our claims to the test, a RiskLens pilot is meant for you.
What is a risk quantification pilot project?
Plain and simple, a pilot is an on-site consulting engagement, leveraging the RiskLens platform to perform an actual quantified risk assessment on a risk issue of strategic importance to your organization, with the goal of proving the value of the FAIR model and the platform.
The four-day engagement is led by a RiskLens consultant who works on-site with your team and your data to quantify one risk scenario of your choosing using our Cyber Risk Quantification platform. Deliverables, including reports at both the executive and analyst levels, present the financially quantified findings and provide clarity to support business aligned decision making on the chosen scenario.
Day 1 of the pilot kicks off with a 2-3 hour orientation on the FAIR model, with an audience typically compromised of risk analysts, SMEs who will provide data in the following days, and key executive stakeholders. It ensures that everyone understands the basic terminology and value proposition of FAIR before practically applying it to the chosen risk scenario.
Days 2 and 3 are primarily focused on data gathering sessions, running the analysis in the platform, and creating the final deliverables.
On Day 4, there is a presentation of the final results, quickly followed by an adoption discussion. These final sessions, the culmination of the week's efforts, attract Risk and Security Steering Committees and often executive leaders across the three lines of defense as it is an effective opportunity to review the benefits of quantitative assessments over their current approaches and see first-hand the resulting decision making it enables.
Organizations that have completed a pilot have found that the value is two-fold.
- First, they can evaluate the process and level of effort for quantifying risk with FAIR and gain an understanding of how this approach can be scaled using the RiskLens platform to build a sustainable program.
- Second, they complete a quantitative risk analysis of immediate value to the business for use in tactical decision making.
The results of the pilot will build a strong case for implementing cyber risk quantification in your organization.
What are the required resources for a pilot?
When an organization conducts a pilot with RiskLens, it needs to be prepared to:
- Help define or scope a risk analysis scenario for the pilot.
- Involve at least one executive sponsor to ensure that the analysis scenario is aligned with business objectives and that adequate resources will be available to gain maximum advantage from the analysis process.
- Have at least one dedicated risk analyst available for the entirety of the engagement to help complete the risk analysis with our platform.
- Schedule meetings to be held during the engagement with relevant subject matter experts in your organization who will provide data inputs for the analysis on the selected risk scenario.
How to choose a meaningful risk scenario for a RiskLens pilot
Picking a risk scenario that’s at the top of the agenda for you and your organization is key to getting the most value out of a pilot. Here are a few questions to get your creative juices flowing on what risk scenario to analyze:
- Are you trying to justify a security investment or calculate the ROI on a new technology that is meant to reduce risk?
- Are you looking to demonstrate a before / after comparison of a security initiative's effect on risk?
- Are you trying to assess how much risk is associated with a breach or downtime to a major application, business process or database – and the relative effectiveness of different controls improvements?
All of these topics are excellent starting points for selecting a risk scenario. Since the pilot work period is a limited engagement of four days, we will help to guide you in right-sizing a risk scenario that can be successfully completed in that timeframe. By strategically choosing a meaningful risk scenario, some organizations have utilized a pilot to help make a decision that met a significant objective for the year.
Resources to help you
If you’re still unsure about whether a pilot is the right next step for you and your organization, consider reading through our case studies that reflect recent customer engagements. The case studies below can further guide your selection of a risk scenario and will give you a full picture of how a pilot was completed, what data was used for the analysis, and how pilot results could inform a real business decision.
Some sample RiskLens pilot case studies:
Listen to this webinar on demand to hear RiskLens Consultant,Taylor Chester, tell the story of a recent engagement with a large financial organization that started with a basic question: How to decide between two types of controls (purging data or tokenizing records) to protect against malicious exfiltration of data?
A financial services company suspected it was suffering “death by a thousand cuts” from data leaks by employee email mistakes but couldn’t get its arms around the extent of the problem or how to fix it. Using RiskLens, the risk management team gathered and made sense of the available GRC data, put hard numbers on the losses, and evaluated mitigating control options to find the most cost-effective control.
The technology risk team used RiskLens’ Cyber Risk Quantification application to measure:
- Current risk without encryption versus the forecasted risk with encryption
- Changes in loss exposure based on PII record counts in databases
Some helpful blog posts for more detail on what to expect from a pilot engagement: