By Joe Vinck

With the growing interest in Factor Analysis of Information Risk (FAIR™), we hear a lot from people who have read about FAIR or even taken FAIR training and are really excited about the potential power of cyber risk quantification for risk management – but have come away with the impression that to actually bring a quantitative risk management program to life in their organization would be…

…a slow, evolutionary process.

Well, it is a process of upward evolution from qualitative, opinion-driven, red-yellow-green risk analysis to critical thinking about risk in financial terms. And yes, bringing your entire organization to a common way of thinking about risk as loss events instead of vague worries like “the cloud” is a great step forward.

Joe Vinck is a Strategic Account Executive for RiskLens

But you can jump right into FAIR risk analysis, and derive almost immediate value by focusing on a specific use case and pain point. You can then bring your organization around later when you show them the value in improved insight into risk.

Options to Start Quantitative Cyber Risk Management

We’ve seen new RiskLens clients get up to speed quickly (and persuade their organizations of the value of cyber risk quantification) with the various use cases below, divided into three categories critical to any organization:

Strategic Decisions

Focus on a short list of top risks of concern to the board or senior management. Use cases might include:Semi-annual Top Risks Reporting

Tracking the scenarios covering existential risks to the organization, and comparing to risk appetite.

Annual CISO Budget

Proving risk reduction and ROI

Annual Insurance/Capital Reserves Review

Assessing insurance and reserves against probable impact from top risks.

Operational Decisions

Emphasis on risks across platforms, business units, asset classes and other categories, to support decision-making with comparative and cost-benefit analysis on digital initiatives, enterprise architecture, regulatory compliance, etc. Use cases might include:

Decision Support for Projects

Moving apps to the cloud/keeping on premise Removing/reducing controls Insourcing/outsourcing SOC

Asset Management

Assess risk of ERP defined projects ID and analyze supply chain risk

Tactical Decisions

Prioritizing work and resources on everyday issues,

Routine Policy Exceptions/Risk Accepts

Quantify risk scenarios for full understanding

Routine Threat and Vulnerability Analysis

For SOC issues or other ad hoc situations

Regulatory Response

Answering SEC, NYDFS, CCPA, OSFI, SBS Defending audit findings

Routine Third Party Assessment

Know your vendor C-I-A risk

Setting Your Plan

Pick one use case to get started – make it high value in terms of immediate pain reduction for the organization. With a customized proof of value engagement, RiskLens can help you select your first use case, and guide you through the analysis process, so you receive a good look at our platform and working with Factor Analysis of Information Risk, while quickly getting value back in the process. And prior to every full-scale acquisition of the RiskLens platform, together with the client, we develop a charter document that clarifies the issues, timelines and goals for the program.

For a complete view of the capabilities of the RiskLens platform and services, see the RiskLens/FAIR Enterprise Model Guide on a Page