By Joe Vinck
With the growing interest in Factor Analysis of Information Risk (FAIR™), we hear a lot from people who have read about FAIR or even taken FAIR training and are really excited about the potential power of cyber risk quantification for risk management – but have come away with the impression that to actually bring a quantitative risk management program to life in their organization would be…
…a slow, evolutionary process.
Well, it is a process of upward evolution from qualitative, opinion-driven, red-yellow-green risk analysis to critical thinking about risk in financial terms. And yes, bringing your entire organization to a common way of thinking about risk as loss events instead of vague worries like “the cloud” is a great step forward.
Joe Vinck is a Strategic Account Executive for RiskLens
But you can jump right into FAIR risk analysis, and derive almost immediate value by focusing on a specific use case and pain point. You can then bring your organization around later when you show them the value in improved insight into risk.
Options to Start Quantitative Cyber Risk Management
We’ve seen new RiskLens clients get up to speed quickly (and persuade their organizations of the value of cyber risk quantification) with the various use cases below, divided into three categories critical to any organization:
Strategic Decisions
Focus on a short list of top risks of concern to the board or senior management. Use cases might include:Semi-annual Top Risks Reporting
Tracking the scenarios covering existential risks to the organization, and comparing to risk appetite.
Annual CISO Budget
Proving risk reduction and ROI
Annual Insurance/Capital Reserves Review
Assessing insurance and reserves against probable impact from top risks.
Operational Decisions
Emphasis on risks across platforms, business units, asset classes and other categories, to support decision-making with comparative and cost-benefit analysis on digital initiatives, enterprise architecture, regulatory compliance, etc. Use cases might include:
Decision Support for Projects
Moving apps to the cloud/keeping on premise Removing/reducing controls Insourcing/outsourcing SOC
Asset Management
Assess risk of ERP defined projects ID and analyze supply chain risk
Tactical Decisions
Prioritizing work and resources on everyday issues,
Routine Policy Exceptions/Risk Accepts
Quantify risk scenarios for full understanding
Routine Threat and Vulnerability Analysis
For SOC issues or other ad hoc situations
Regulatory Response
Answering SEC, NYDFS, CCPA, OSFI, SBS Defending audit findings
Routine Third Party Assessment
Know your vendor C-I-A risk
Setting Your Plan
Pick one use case to get started – make it high value in terms of immediate pain reduction for the organization. With a customized proof of value engagement, RiskLens can help you select your first use case, and guide you through the analysis process, so you receive a good look at our platform and working with Factor Analysis of Information Risk, while quickly getting value back in the process. And prior to every full-scale acquisition of the RiskLens platform, together with the client, we develop a charter document that clarifies the issues, timelines and goals for the program.
For a complete view of the capabilities of the RiskLens platform and services, see the RiskLens/FAIR Enterprise Model Guide on a Page