As Jack Jones, co-founder of RiskLens, tells the story, he started down the road to creating the FAIR™ model for cyber risk quantification because of âtwo questions and two lame answers.â As CISO at Nationwide insurance, he presented his pitch for cybersecurity investment and was asked:
âHow much risk do we have?â
âHow much less risk will we have if we spend the millions of dollars youâre asking for?â
To which Jack could only answer âLotsâ and âLess.â
âIf he had asked me to talk more about the âvulnerabilitiesâ we had or the threats we faced, I could have talked all day,â he recalled in the FAIR book, Measuring and Managing Information Risk.
In that moment, Jack saw the need for a way that cybersecurity teams could communicate risk to senior executives and boards of directors in the language of business, dollars and cents.
Some CISOs are still in the position of Jack pre-quantification â talking all day and delivering lame answers, from the boardâs point of view. Hereâs a short guide to what theyâre not saying â and how RiskLens, the analytics platform built on FAIR, can provide the right answers.
1. I donât really know what our top risks are
I can ask a group of subject matter experts in the company to vote on a top risks list based on their opinions, but thatâs as close as I can get.
Top Risks is the first report that many new RiskLens users run, and it only takes minutes, using the Rapid Risk Assessment capability of the RiskLens platform. The platform guides you through properly defining a set of risks (say, from your risk register) for quantitative analysis according to the FAIR standard. To speed the process, the platform draws on data from pre-populated loss tables. The resulting analysis quickly stack-ranks the risks for probable size of loss in dollar terms, across several parameters.
2. I canât give you an ROI on the money you give me to invest in cybersecurity
You see, cybersecurity is different from other programs youâre asked to invest in â itâs constantly changing and never-ending. You never really hit a point of success; you just chip away at the problem.
With Top Risks in hand, RiskLens clients can dig deeper on individual scenarios and run a Detailed Analysis to expose the drivers of risk to see, for instance, what types of threat actors account for the highest frequency of attacks or what classes of assets account for the highest probable losses. Then they can run the Risk Treatment Analysis capability of the platform to evaluate controls for their ROI in risk reduction.
3. I canât really tell you if things are getting better on cyber risk.
I can show you our progress with compliance checklists and maturity scales, and I hope youâll assume thatâs reducing risk.
While compliance with NIST CSF, CIS Controls, etc. is good and useful, these frameworks donât measure performance outcomes in reducing risk â that takes a quantitative approach. The RiskLens platform can aggregate risk scenarios to generate risk assessment reports showing risk across the enterprise or by business unit, in dollar terms â and to show risk exposure over time. Itâs easy to update and re-run risk assessments, thanks to the platformâs Data Helpers that store risk data for re-use. Update a Data Helper, and all the related risk scenarios update at the same time â and so do the aggregated risk assessments.
4. I canât help you set a risk appetite.
I donât really know how much risk we have and am pretty much operating on the principle that no risk is acceptable.
Boards should have a strong sense of their appetite for risk in cyber as in all fields, but qualitative (high-medium-low) cyber risk analysis only supports vague appetite statements that are difficult to follow in practice. On the RiskLens platform, a CISO can input a dollar figure for ârisk thresholdâ as a hypothetical, and run the analyses to rank how the various risk scenarios stack up against that limit, making a risk appetite a practical target.
5. I donât know how to align cyber risk management with the other forms of risk management we do.
Enterprise risk, operational risk, market risk, financial riskâIâve heard their board presentations in quantitative terms. But cyber is just different.
Quantification is the answer â reporting on cyber risk in the same financial terms that the rest of enterprise risk management programs employ finally gives the board what it wants to hear on cyber risk management. ISACA, the National Association of Corporate Directors and the COSO ERM framework have all recommended FAIR for board reporting. As an ISACA white paper said,
The more a risk-management measurement resembles the financial statements and income projections that the board typically sees, the easier it is for board members to manage cybersecurity riskâŠFAIR can enable the economic representation of cybersecurity risk that is sorely missing in the boardroom, but can illuminate cybersecurity exposure.
, ever-increasing regulations, and the potential effect of brand damage on profits has made 
a mainstream board-level issue. It has never been more important for 
and processes to be in line with business
feel they are being heard, business leaders admit they aren’t listening.
with business priorities will be much easier.
are the common factor understood by both sides and could be used as the primary driver in this alignment. The reality, however, is this isnât always happening
s to better understand the use of metrics to communicate with business leaders: why metrics are necessary; how they can be improved; what are the problems; and what is the prize?
/
, 
s, Proxies, or any other solution you have actually do. They only care about the level of risk in the company.â
impact specific 
.
that business leaders understand. This can be used to start the process for each side to learn more about the other. Business will begin to see how security reduces risk, and will begin to specify other areas that need more specific protection.
and information stored, processed, or transmitted by the organization. These departments and these leaders tend to provide metrics that focus on their tactical duties rather than business drivers that concern the board/C-suite.â
. Logins, blocked traffic, transaction counts, etc… but most do not map back to business objectives or are explained in a format business leaders can understand or care about. Good metrics need to be tied to dollars, business efficiency shown through time improvements, and able to show trending patterns of security effectiveness as it relates to the business. That’s the real challenge.â
and president-elect of ISSA. âThat is a mistake, because security is our job. We need to better understand the business, so that we can articulate the impact of not applying 
. The key to this whole approach is for the CISO to understand the business, and to understand the mission and goals of the business.â
and 
systems. They must manage teams and get leadership approval in order to successfully implement a system that aligns with overall business goals.
will need to appoint both technical and non-technical individuals to support a risk management system, which requires communication in a language that everyone can relate to. Additionally, senior executivesâ approval is required and this will involve presenting proposals in non-technical terms.
