I previously wrote a blog post, My Risk Problem and How I Solved It, about how the lightbulb finally went on after learning FAIR™ - I realized that you can’t build a risk management program with just inherent and residual risk. Eventually you will just come up short and get to the wondering, “How can risk management provide meaningful decision support for the business?”.
Tim Wynkoop is onboarding manager for RiskLens
In reality, risk management programs built on the various standards in the industry, for instance from NIST or ISO, are a good start, but not completely effective. Taking my queue from FAIR Institute President Nick Sanna, “A good risk management program needs to be explicit [in order] to be effective (Why Quantification Is the Core of Effective Risk Management). Usually these standards, although always improving, are lacking one or more of the foundations (the Risk Management Stack) required to maintain an effective risk management program:
The Risk Management StackI am not going to hash out the various standards and what they may or may not be missing in one or more of these aspects. Feel free to do your own research as to that. In short, what it boils down to is you need to build the right foundation to effectively manage risk within your organization.
I recognize this may seem easier said than done especially if your organization has been measuring risk a certain way for years. So you may be thinking, “What can be done to bridge this gap, especially when I have no budget to purchase something new?” Let’s take a look at a few examples.
1. How do you eat an elephant?
I am not saying nor do I condone eating an elephant. They are majestic and wonderful creatures. This is just a cliché question with a very simple answer: “One bite at a time”. This applies to your Risk Management program. Start small. Take on small changes with big impacts. Leverage the FAIR principles to change how you identify risks (Perceptions vs Reality in Identifying Risk). Instead of just taking concerns or survey results and stating those are the risks, define what the “bad” things or concerns are. What does it mean for your organization? This rather small change can have huge impacts.
2. “Happy wife, happy life”
Not to get too personal, but I am sure you have heard this saying before. Have you ever told your spouse you will be home at 6 PM and then you find yourself consistently not getting home until well after 6 PM? After a while, a disagreement may ensue. This cheeky example can be applied to your Risk Management program as well. Leverage FAIR to help account for uncertainty. The standard you may be using may try to help with that but probably doesn’t give that explicit factor you are looking for. Something simple that can be done is add some quantitative underpinnings to your risk ratings.
“The likelihood of this risk is medium when one or more controls may be ineffective in preventing a breach of information.”
“The likelihood of this event is medium when one or more controls may be ineffective allowing for a breach of information up to 1 time per year.”
3. “Whatever you do, always give 100%. Unless you’re donating blood” – Bill Murray
Just like this quote, is your risk management process something that is easy to follow? Start documenting your process in a way that is repeatable. Don’t settle for “This is just the way we have been doing things”. Ask questions. Combine all of those little changes previously mentioned into a well-defined process.
4. “Always leave them wanting more” – PT Barnum
Making these small changes in your risk management program can help pave the way to the real change - making risk-based decisions by prioritizing and justifying your cybersecurity initiatives. Leverage FAIR to understand your risk in financial terms.