“Don’t boil the ocean,” “manage expectations” and “baby steps” are common phrases that capture the mindset needed for consistent, sustained growth of a FAIR™ cyber risk quantification program. But every now and then it’s nice to get some quick wins to gain visibility and establish credibility within your organization.
Here are three quick and low-intensity efforts that can mature your quantitative risk analysis program: automate, template, and integrate.
Caleb Juhnke is Senior Information Security Engineer (Cyber Risk Quantification), Equinix.
Also by Caleb: What to Do After You Pitch Quantitative Risk Analysis
Automate Data Collection
Robust data leads to better analysis and better decision support. Here’s the catch: subject-matter expert (SME) exhaustion. I’ve had the pleasure of networking with many accomplished and seasoned quantitative analysts, and a common theme has been difficulty around data gathering, specifically from SMEs.
The organization’s business analysts, patch management teams, and SOC analysts have full-time jobs. Right or wrong, sitting through data gathering calls is not high on their priority list. Data requests that are too repetitive or too frequent will result in burnout.
A key part of FAIR development in your organization must be data independence. Network with the cybersecurity disciplines across your organization and use your goodwill to gain access to the troves of existing data on dashboards, logs, and SharePoint repositories.
Additionally, being included on various automated distribution lists and alerts can also position your team to gather important data without mucking up stakeholder calendars. There is a positive correlation between your data independence and stakeholder support.
Template Data Intake
A growing risk quantification program usually means bringing on more analysts. With the increase in analytical power, also comes an increase in personalities, communication styles, and assumptions.
Diversity of thought is a core component in any program, but standardization of communication channels is key to delivering a consistent product.
When the team must reach out to stakeholders, use templated data intake forms. This allows SMEs to become accustomed to the types of questions needed for better analysis, and it empowers the risk management team to effectively engage the organization.
The value of templating is not limited to communication outside of the risk team. As multiple analysts engage in independent research and analysis, it is important to document the rationale used for estimates. Templating and defining required information fields used in the analyst’s rationale will create a consistency of analysis that allows for greater transparency and uniformity in reporting.
Integrate Risk Analysis with Decision Support
After successfully evangelizing FAIR and quantitative analysis, the risk program may find their services highly requested. But it is important to ensure that not every risk analysis and decision support is ad hoc.
It is essential to develop processes, and process hand-offs to bake quantitative analysis into operational, tactical, and strategic decision support. Successfully integrating into the internal stakeholder existing processes helps manage work levels and set expectations for the program.
Identifying where integration should occur can usually be found by asking this question: “What decision are we trying to make?” and plugging risk quantification into the existing process to answer that question.
Finding ways to automate, template, and integrate is often as simple as a conversation with stakeholders. Keep that in mind while you develop goals for your quantitative risk management program!
The FAIR Institute welcomes contributions to our blog from our expert members - contact us.