It involves a CISO we know who was faced with an audit finding that would have required millions of dollars and months of business disruption to remediate. With FAIR analysis, the method that powers the RiskLens application, the CISO came up with a solution that cost far less and produced far better results.
Jay Soni is Team Lead-Sales Central US/Canada for RiskLens
Explicit risk analysis is better than implicit risk analysis. Explicit, as in using a well-defined model and some analytic rigor to show ranges of probable loss in dollars. Implicit, as in making assumptions regarding how and to what degree controls reduce risk.I like this story because it makes four key points about quantitative cyber risk analysis:
Here’s the story, as told in Measuring and Managing Information Risk by Jack Jones and Jack Freund, the book that introduced the FAIR model for cyber risk analysis.
“The CISO was faced with a PCI audit that had identified the absence of data-at-rest encryption on his organization’s primary business databases. These systems contained massive volumes of credit card and other sensitive information.
“Unfortunately, when brought in to pitch their solutions, the encryption vendors all admitted that (1) their products hadn’t been applied to databases of that size/architecture before and they could not guarantee that there wouldn’t be problems, and (2) any implementation was going to require significant changes to the business applications.
“The cost implications ran into the millions of dollars, with an implementation timeline of at least 18 months and an expectation of some amount of business disruption during the process.
“The CISO used FAIR to evaluate and compare the current state of loss exposure, the loss exposure reduction expected to result from data-at-rest encryption, and the loss exposure reduction expected from an alternative set of controls.
“These alternative controls included, but were not limited to:
“At the end of the analyses, the CISO was able to show that the alternative controls provided better risk reduction than encrypting data-at-rest.
“Better yet, these alternative controls required no changes to applications, no business disruption, a much faster time to implement, and costs under $500,000.
“When presented with these analyses, the PCI QSA had no problem signing off on the solution.”
It's worthwhile to note that this analysis took approximately three days to perform. Not a bad investment of time for a far less expensive and more effective solution.