How Equinix Delivers Cyber Risk Management as a Service
“Run at the speed of business” - it’s a goal of every cyber risk management team, or should be – to deliver risk-based decision support to leadership just in time when it’s needed.
But, for FAIR practitioners, how do you crawl-walk-run from just socializing risk quantification to embedding it as a service in ongoing operations? A service that stakeholders want to seek out?
Equinix has an answer. As reported to the 2024 FAIR Conference by Zach Cossairt, Integrated Risk Program Senior Manager at the digital infrastructure company, successful cyber risk management is as much about influencing people.
It helps that Zach has an MA in Behavioral Economics as well as a FAIR certification because, as he says “behavior change is hard.”
Watch the video of Zach’s FAIRCON24 presentation and be sure to download the deck, both loaded with detailed action steps:
FAIRCON24 Video: Risk at the Speed of Business: Delivering Risk Management as a Service with Equinix
Zach’s Key Points on Risk Management as a Service
Establish a Direction for Your Program
Work from a clear understanding of your organization’s business strategy and stick close to it. Write a program charter so all the players can get on the same page about methods and goals (and leadership can sign off). Name your “North Star” that you always navigate toward, such as “Improve the pace and quality of decision-making across the organization.”
Build a Service Catalogue
Start from the ground up by cataloguing the problems of your stakeholders that your services will address. Zach presented this detailed example as an inspiration:
Notice the proactive approach here – not waiting for walk-in customers but defining what will improve the situations of key players. And there always must be a pending business decision if the risk team’s resources are to be deployed. “Go where the decisions are being made,” Zach advises.
Test, Operate and Scale
Anticipate success – we’ve seen FAIR Institute member programs suddenly go up the hockey-stick chart, as word of the goodness of cyber risk quantification got around.
Zach gave a FAIR Conference talk on The Voltage Effect, on how a small program can gain or lose momentum (“voltage”) as it scales. “Return value fast and above expectations,” is his advice for acceleration.
For sustained growth, he gives a list of techniques to standardize and streamline your FAIR CRQ program (see below), including gently pushing clients forward. “Risk quantification is a buzzword,” he says. “A lot of times, people don’t know what they want. Nudges can help people make better choices.”
Read blog posts by Zach on FAIR and human behavior
To subscribe to our blog, join the FAIR Institute with a free Individual Membership