When Someone Says, “We Are Not Mature Enough for Cyber Risk Quantification” I Get Mad!

April 1, 2021  Steven Tabacek and Leanne Scott

Learn how the RiskLens platform has evolved to meet the latest critical needs of security and risk teams from Steven Tabacek, Co-Founder and Managing Director, Customer Experience, at RiskLens. And Leanne Scott, Customer Success Executive at RiskLens, tells some customer success stories with the new capabilities of the platform.

Steve and Leanne_CS Team Ten years ago, when I joined Jack Jones as a cofounder of RiskLens I quickly bought in to the value proposition of Factor Analysis of Information Risk (FAIR™) and the idea of turning the methodology into a software business.

After building my first business IT-Lifeline, the largest data backup and business continuity center in the Northwest, it was easy for me to assess the value of FAIR because it helped enumerate my clients’ risk of outage, downtime, and consequently associated losses. This easily provided an ROI for data backup and business resiliency services. I was sold on FAIR!

I figured launching RiskLens with Jack would be a no-brainer. Who wouldn’t want to understand loss exposure associated with cybersecurity and technology risk? Who wouldn’t want to make the most cost-effective risk mitigation decisions when budgets are limited?

I Was Naïve…

I was naïve when it came to launching a business into an emerging market. In 2010, many in the cybersecurity industry defined risk best practices as implementation of checklist-based maturity models, control checklists, and qualitative high/medium/low, red/yellow/green (gut) assessments.

I also underestimated the skill and time necessary to build a FAIR-based risk quantification program. Today I can acknowledge that the first two iterations of the RiskLens application were like a complex scientific calculator. It took a significant amount of training and skill to master a FAIR-based risk analysis.

FAIR Model on a Screen EmailOnce a person mastered the definitions behind the FAIR ontology, additional challenges obtaining data from subject-matter-experts made the cost of doing analysis work too resource intensive and expensive.

One other major obstacle was the industry’s reluctance to advance cybersecurity risk management practices. People loved the simplicity of qualitative assessments. How much easier could it get than red/yellow/green?

Times Have Changed – Now, Cyber Risk Quantification (CRQ) Is All the Rage

So, what has changed, and why is CRQ all the rage today? Why has the FAIR Institute (fairinstitute.org) membership grown from zero to nearly 11,000 members since 2015?

Change didn’t happen overnight. It started in 2014 and 2015 with a long list of major cybersecurity breaches. They became weekly or monthly headline events. Eventually Board Directors started asking “how much risk do we have to similar scenarios?” Regulators also got involved. The SEC published guidance multiple times, most recently in 2020 (Cybersecurity and Resiliency Observations) with the message that “effective cybersecurity programs start with the right tone at the top.”

Today, I clearly recognize why RiskLens was not a first year, viral success. I now recognize the characteristics of an emerging science, market, and the cultural adaptation effects of recommending new best practices.

I also recognize that our first couple generations of the application were for those that exhibited patience and tolerance. Those who endured the scientific approach clearly benefited from cost-effective risk managed programs, however patience and tolerance was part of the early-adopter cost.

Child Growing - Not Mature Enough for Cyber Risk Quantification“Not Mature Enough for CRQ” – What They’re Really Saying

Now with that historical perspective, let’s reflect on the title of this blog:

As a cofounder of RiskLens, I have listened to nearly every reason for not employing risk quantification into cybersecurity and technology risk management programs. Here are the most common, with some related reading materials:

Why I Get Mad (at Myself)

The reason why I get mad when I hear these reasons ten years after starting RiskLens is because it proves that I/we need to do a better job communicating the efficiencies and proven practices gained by advancing risk quantification using the RiskLens platform.

I personally believe the “we are not mature enough to deploy risk quantification” is a catch-all polite way of saying “You haven’t provided a compelling enough reason for me to consider RiskLens. Simply put, we haven’t provided the ROI or marketplace success stories proving RiskLens can more cost-effectively manage cybersecurity and technology risk.

The New RiskLens Answers All the ‘Maturity’ Questions

The newest version of the RiskLens platform significantly simplifies strategic, tactical, and governance-driven risk assessments:

  • Risk analysis time requirements have been reduced from weeks/months to minutes (how about 15-20 minutes)!
  • Today’s RiskLens data-driven platform is designed for immediate time-to-value for proven use cases like identifying and communicating top risk to stakeholders, proving cost-effective mitigations for identified risk, and overall efficient allocation of CISO budget to burn down risk over time.

In other words, the platform meets the critical needs of our clients at any maturity level.

If you’re an existing customer still employing the scientific approach within the platform, a prospect that has investigated FAIR/RiskLens in the past, or an industry analyst, it’s time to give RiskLens another look!

I’ll now turn it over to Leanne Scott, to extend my goal to better communicate the proven value of the RiskLens platform.

Take a Look at the New Capabilities of the RiskLens Platform

Taking up Steve’s challenge, I want to explain how RiskLens clients are experiencing wins with cyber and technology risk quantification faster and easier than ever before with our platform.  Let’s take a look at some of those experiences:

Rapid Risk Assessments

RSK-9_Rapid_Risk_Assessment_Per_Event_Loss_Magnitude_Chart-Top-5-1024x579Rapid Risk Assessments, (nickname: “FAIR Fast”) provide the ability for a CISO to understand the risk landscape in a matter of a couple of days.  With an experienced facilitator, an organization’s top 30-50 risk scenarios can be identified in 3-4 hours.  With another 3-4 ho

urs, those risks can be quantitatively triaged and prioritized in RiskLens.  At a large client site, twelve business units went through this exercise in just over 3 months and that was only due to the schedule complexities of the participants.  Imagine being able to report this prioritized list of enterprise risks and aggregated amount of risk per business unit to your stakeholders.

Guide to Using Rapid Risk Assessment in the RiskLens Platform

Risk Treatment Analysis

RiskLens-Platform-Risk-Treatment-Analysis-Comparison-Quantify-Key-Cyber-Risks-for-New-AcquisitionsRisk Treatment Analysis provides the ability to easily see the impact of a control compared to its cost.  One client had a subscription-based control that they needed to renew.  The business unit claimed that the control cost more than the event it was designed to prevent.  The risk assessment team’s quantitative analysis results proved that the control’s impact on loss exposure was far less than its cost.  The business unit was able to re-allocate hundreds of thousands of dollars as a result. 

Another client was planning to invest hundreds of thousands of dollars in a new control.  Again, a quantitative risk assessment proved the ROI was negative and the company abandoned the project. Not only were funds re-allocated, the company also re-allocated resources to more beneficial work.

Learn about RiskLens Risk Treatment Analysis for Cost-Effective Decision-Making

Under the Covers – What exactly enables faster, simpler RiskLens Platform decision support?

1.  Industry Data

RiskLens provides industry-agnostic Fines and Judgements default data saving time for analysts and SMEs from having to find and populate this data themselves. Last year, we upgraded this offering to provide industry-based data for eight industries. Expect this trend of providing default data in varying contexts to continue.

2.  Data Helpers

With Data Helpers, analysts can store data for repeated use in answering risk analysis workshop questions.  Our consultants work with customers to guide them on the most effective way to define and use Data Helpers.  This collaboration has greatly enabled customers to perform analyses more quickly with one customer experiencing a 10x increase in velocity.  While our focus has been on loss magnitude data helpers, expect data helpers on the loss event side of the FAIR model soon.

3.  Reporting

RiskLens application reporting was improved throughout 2020 and that effort continues today.  The Top Risk Report and the enhanced Scenario Executive Summary Report help analysts explain quantitative analysis results better than ever with summary statements and graphics that can be used directly in presentations.  In 2021, RiskLens will focus on executive reporting to break down the communication barrier between quantitative analysts and managers to executives and the board.

4.  ARiskLens API - Custom Top Risk Report Using the RiskLens Data Export API - EmailPI

The RiskLens API enables integration between certain GRCs in order to streamline the risk analyst workflow.  RiskLens also has a generic API that provides access to analysis details for clients to use in their own dashboard or reporting platform. Both of these APIs will continue to expand in scope and functionality to improve efficiencies of quantitative risk analysis.

RiskLens is continuously working to make technology risk quantification faster and easier to inform risk decisions, and RiskLens has helped many companies benefit as a result.  Stay connected with us so you don’t miss out!