"We're not very mature" — it's a statement we hear in many conversations with information security professionals, despite the technological skills and proliferation of risk management maturity assessment tools in their organizations.
Jack Jones, co-founder of RiskLens, once commented on the subject, saying, "Where we are, as a profession, it's like we're doctors relying on bloodletting." Which is to say, there's plenty of room for process improvement in the way most businesses approach risk mitigation.
As Jack sees it, common risk maturity assessment models in our profession are missing the point by focusing on what he calls "lagging indicators" — technologies or processes we can check off on a list.
Those models don't have a clearly defined meaning of maturity — a higher score is simply better than a lower score. "They don't really define what maturity represents," Jack says. "Many of us know organizations that score reasonably well on common risk maturity assessments, but have significant difficulty prioritizing well or executing reliably."
Healthy risk governance relies on continuous improvement and a framework that quantifies risk events in financial terms to inform strategy.
What Is Risk Maturity?
Risk maturity is the ability to "reduce noise and focus more effectively on truly high-risk concerns, choose cost-effective solutions for the risk management priorities, and execute reliably," Jack explains. An organization with high risk maturity knows what their risk appetite is and what effective risk management looks like. "A mature organization is one that can cost-effectively achieve and maintain an acceptable level of risk," according to Jack.
Jack pioneered the FAIR™ standard to give a solid foundation for prioritizing and communicating cyber and technology risk management through quantifying risk in financial terms. This approach to managing risk is what led to the creation of the RiskLens platform, which circumvents the problem inherent in the standard risk maturity model and gives organizations a clearer understanding of their current maturity and what can be done to improve it.
However, the conversation can then turn to a new risk management maturity problem: "We're not mature enough to do quantification. We don't have the data, the people, or the time."
In his blog post on risk management maturity, Steven Tabacek, who co-founded RiskLens with Jack, outlines client apprehensions around the RiskLens approach to risk assessment and reporting. Steve addresses their concerns by explaining how the RiskLens platform meets the critical needs of our clients at any risk maturity level.
- Data: Data Helpers and Loss Tables are pre-populated with targeted, re-usable data built around common risk scenarios. A guided workflow guides analysts through collecting internal data from your subject matter experts.
- People: FAIR training through RiskLens quickly gets your team up and running on quantitative analysis; guided workflow helps them complete every step of analysis and reporting.
- Time: The platform's Rapid Risk Assessment capability produces a prioritized list of top risks in minutes for quick decision support. The Risk Treatment Analysis capability also rapidly runs comparative ROI calculations for security control options.
Altogether, Steve writes, "The newest version of the RiskLens platform significantly simplifies strategic, tactical, and governance-driven risk assessments."
RiskLens Enhances the Risk Maturity Assessment Models You Already Use
RiskLens is not only compatible with NIST CSF and other NIST publications, CIS Controls, the ISO 27000 series, HITRUST CSF, HIPAA Security Rule, and other standards and frameworks — it enhances their use by giving guidance on which of the recommended controls and processes to deploy based on a cost-benefit analysis. In fact, the FAIR™ standard is recommended for risk analysis and risk management in the NIST CSF. Overall, the RiskLens platform helps create and support reliable risk management infrastructure.Contact us to discover how RiskLens can help your organization raise its risk management maturity level by helping you prioritize and communicate risk management initiatives with the power of risk quantification.