What's Risk Management Maturity?

By Kendall Eide | January 23, 2019


“We’re not very mature” - it’s a statement we hear in many conversations with information security professionals, despite the technological skills and proliferation of risk management maturity assessment tools in the organization. 

Jack Jones, co-founder of RiskLens once responded to that comment by saying, “Where we are, as a profession, it’s like we’re doctors relying on bloodletting.”

As Jack sees it, common maturity models in our profession are missing the point by focusing on what he calls “lagging indicators” – technologies or processes we can check off a checklist.

Those models don’t have a clearly defined meaning of maturity – a higher score is simply better than a lower score. “They don’t really define what maturity represents,” Jack says. “Many of us know organizations that score reasonably well on common risk maturity assessments, but have significant difficulty prioritizing well or executing reliably.”

Jack has a more practical definition of maturity: 

“A mature organization is one that can cost-effectively achieve and maintain an acceptable level of risk.” 

Mature organizations are able to “reduce noise and focus more effectively on truly high-risk concerns, choose cost-effective solutions for the risk management priorities, and execute reliably,” Jack says.

Jack pioneered the FAIR standard to give a solid foundation for prioritizing and communicating cyber and technology risk management through quantifying risk in financial terms.

But the conversation then can turn to a new maturity concern: “We’re not mature enough to do quantification. We don’t have the data, the people or the time.”

In his blog post on risk management maturity, Steven Tabacek, who co-founded RiskLens with Jack, wondered if that’s really “a catch-all ,polite way of saying ‘You haven’t provided a compelling enough reason for me to consider RiskLens.’ Simply put, we haven’t provided the ROI or marketplace success stories proving RiskLens can more cost-effectively manage cybersecurity and technology risk.”

Steve’s answer:

The RiskLens platform meets the critical needs of our clients at any maturity level.

  • Data. Data Helpers and Loss Tables are pre-populated with targeted, re-usable data built around common risk scenarios. A guided workflow steps analysts through collecting internal data from your subject matter experts. 
  • People. FAIR training through RiskLens quickly gets your team up and running on quantitative analysis; guided workflow helps them complete every step of analysis and reporting. 
  • Time. The platform’s Rapid Risk Assessment capability produces a prioritized list of top risks in minutes for quick decision support. The Risk Treatment Analysis capability also rapidly runs comparative ROI calculations for security control options. 

Get more detail on the capabilities of the RiskLens platform.

Altogether, Steve writes, “The newest version of the RiskLens platform significantly simplifies strategic, tactical, and governance-driven risk assessments.”

RiskLens Enhances the Maturity Models You Already Use

RiskLens is not only compatible with NIST CSF and other NIST publications, CIS Controls, the ISO 27000 series, HITRUST CSF, HIPAA Security Rule, and other standards and frameworks – it enhances their use by giving guidance on which of the recommended controls and processes to deploy based on a cost-benefit analysis. In fact, the FAIR™ standard is recommended for risk analysis and risk management in the NIST CSF.

Learn more: Manage Cyber Risk Cost-Effectively with NIST CSF & FAIR

Contact us to discover how RiskLens can help your organization raise its risk management maturity level by helping you prioritize and communicate risk management initiatives with the power of risk quantification.