One of the key benefits of taking a quantitative approach to cyber risk management with the RiskLens platform is enabling better resource prioritization: more efficient allocation of people, processes, and budget around the risks that matter most and for maximum risk reduction. By putting a price on risk (an organization’s loss exposure), quantification shows decision makers how alternative tactics compare in the apples-to-apples, financial terms that everyone understands.
FAIR™, the model behind the RiskLens platform, powers financial analysis of cyber risk – but it goes deeper than that. FAIR is also a method for critical thinking that defines risk in a consistent and useful way and focusses analysis on loss events with a frequency and magnitude of impact. RiskLens makes FAIR operational. The RiskLens platform acts as a decision support platform which provides a solid foundation for prioritization truly based on risk, not a checklist of recommended controls or the opinions of the most senior manager at the table.
8 Steps to Prioritizing Infosecurity with Cyber Risk Quantification:
1. Understand the organization’s true risks, clean up the risk register.
Often, the organization’s risk register is the embodiment of failure to prioritize, as FAIR model creator and RiskLens co-founder, Jack Jones writes, “a due diligence dumping ground for everything that turns up from audits, self-examinations, policy exceptions, etc….None of those things are risks…They are conditions that contribute to risk.
“’Risk management’ is (or should be) about managing the frequency and severity of adverse events (e.g., outages from DDoS, ransomware events, unauthorized disclosure of confidential information, etc.).”
Step one toward prioritization is creating a workable list of risks – this is something that RiskLens helps you with as part of your engagement:
2. Triage everyday risks.
The reality of cyber risk management, RiskLens’ Bryan Smith writes, is “a constant barrage of security issues to analyze….To effectively understand the severity of these issues and direct appropriate response, you need to quickly understand if there is any risk associated with them and size it.”
With the new Triage function, Bryan writes, the RiskLens cyber risk quantification platform can:
- Ingest ad-hoc inputs such as audit findings, security policy exceptions, community threat alerts, zero-day disclosures in RiskLens for rapid analysis
- Quickly define, document and utilize the potential loss events related to these inputs
- Run a quantitative risk analysis of these potential loss events in 15 minutes or less and determine the probable financial loss exposure
Loss events that appear to be higher priority based on loss exposure can then be moved to an in-depth risk quantification analysis.
3. Prioritize top risks.
The first in-depth, quantitative risk analysis most RiskLens clients complete is the identification of their five or more top risks, as a starting point for prioritization. The process typically starts with a longer list of perceived top risks which gets sifted down by critical analysis and the RiskLens platform.
The platform provides a structured way to gather data from within the company — for instance, potential costs of lawsuits from the legal department, frequency of attack and strength of controls from first-line infosec defenders — combined with industry-wide data to provide the underlying fact set on frequency and magnitude of cyber loss events. Data gets run through the RiskLens engine to produce a range of probable loss event outcomes in financial terms.
Top Risks analysis results can surprise: For instance, high impact events may turn out to be low probability, while high frequency but low impact events can cumulatively present the most risk over time.
4. Determine risk appetite.
Critical to prioritizing a risk management program, and in particular to getting the most benefit out of quantified cyber risk analysis, a risk appetite sets an agreed-on limit to loss exposure. The RiskLens platform makes it possible to define an appetite, then apply it to probable loss event scenarios. In this blog post, RiskLens’ Rachel Slabotsky shows how it works, step-by-step to
Step 1 – Identify the loss event type(s) that are most relevant
Step 2 – Define thresholds for “unacceptable” loss exposure
Step 3 – Validate risk appetite value(s) using a sample of quantitative risk scenarios and obtain buy-in
5. Determine ROI on security investments.
The powerful capabilities of the RiskLens platform make it possible to perform ‘what-if analysis’ so, for instance, the effect of different controls can be compared to see how each reduces the loss exposure in a given risk scenario. See it action in this Case Study comparing controls for misaddressed emails that could create a confidentiality loss.
6. Determine staffing requirements.
RiskLens analysis can be used for decision support for hiring or other administrative spending related to a cybersecurity program. As RiskLens Risk Science Director Jack Freund explains, the key is to tie the investment to a measurable outcome — hiring a project manager to combat cost over-runs, for instance. “Now it’s just a matter of using FAIR to estimate how often we experience those things (and associated costs), and how much less we may experience them after this investment (and how much less we are apt to lose),” Jack writes.
7. Align with ERM and other organization-wide initiatives.
CISOs would do well to align cybersecurity spending with corporate strategic initiatives, as well as the enterprise risk management (ERM) program. Historically, cyber risk has been left out of the ERM conversation because, unlike other risks, it couldn’t be discussed in financial terms — now cyber risk quantification makes it possible for CISOs to take a seat at the ERM table, as well as the board table, where directors take an enterprise-wide, financially driven view of the business.
8. Set a budget
As Steve Tabacek, co-founder and President of RiskLens, explains in this blog post, the security budget is the ultimate prioritization document—every proposed line item should be backed by ROI justification, the product of RiskLens risk analyses.