Toymaker Funko got its cyber risk quantification program up and running with a team of two – CISO Markus Kaufmann and consultant Tom Callaghan from C-Risk – by staying tightly focused on a three-year plan of incremental wins.
See how they did it in this video of their presentation at the recent 2022 FAIR Conference:
A FAIR Institute Contributing Membership is required to view the video – sign up now.
Year One
Their first goal was win over an executive leadership that had been indifferent to cybersecurity issues. They started with some high-level risk scenarios on the probable magnitude of the organization’s top risks.
Suddenly, the leadership saw the effect of cyber risk on critical operations. “Having risk scenarios scoped with FAIR really helped us have that discussion with the C-level and board members,” Markus said. That helped him hit his next goal: winning budget for an expanded cybersecurity team.
Year Two
In the next phase, they started on roadmap prioritization, in particular to get a handle on their most important controls by running risk scenarios – “some of the controls we thought would work turned out to not be the best fit,” Markus said. “We have to be very judicious with our resources and CRQ really helped us prioritize,” Tom commented.
Secondly, they looked to improve relationships with important shareholders and investors, as well as external auditors concerned about cyber risk. The result: “They were blown away” by the FAIR-powered plans that Markus showed. The auditors commented that this was far more sophisticated than what they were used to seeing from a company the size of Funko.
Finally for Year Two, they went through the company’s cyber insurance policy and mapped it to their top-risk scenarios, a “reassuring” presentation for the executive team, Tom said.
Year Three
“One of the areas that CRQ has really helped is demonstrating ROI,” Markus said, from specific initiatives to the entire infosecurity operation. That’s led to an expanded role for infosec, giving input on cyber risk for decisions on M&A and new products (including a recent initiative on NFT’s and crypto).
The board has now asked for reporting on cyber risk on a quarterly basis – and Markus and Tom are working on risk trends reporting (see their chart below on security budget vs annualized loss exposure).
From here, they are moving to a service model, “an ongoing process throughout the year,” Markus said, “being able to provide better and more current data to our C-suite.”
Watch the video:
A FAIR Institute Contributing Membership is required to view the video – sign up now.
