Risk management is not well understood. Often there is confusion between risk management and risk assessment, and added to that confusion is how to measure risk or evaluate risk. After all, it is hard to measure something that hasn’t happened yet or to predict when it might happen. Thankfully, it is now possible to use data to make reasonable predictions based on facts. There are tools available to businesses, regardless of size, that can help them build a risk management program and therefore make the best investment choices to protect their business. In this latest Ostendio webinar, we were joined by Nick Sanna, RiskLens CEO and FAIR Institute president, to look at risk management in more depth and to demystify the science behind risk management.
During their conversation, Nick and Grant discussed how building an effective risk management program helps organizations evaluate and minimize risk. The purpose is to reduce the impact of risk events, for example, cyber threats, because it is hard to stop all events from happening but we can manage the risk impact that these events cause an organization. As Grant added, “The objective is not to get to zero risk but to get to acceptable risk.”
Nick explained that in the past, evaluating risk was thought to be more of an art or personal judgment where CISOs would use a gut feeling to make decisions, but this is not good business practice. He added that some people even think cybersecurity is so complex that it is too difficult to quantify. However, in the last couple of years, technology has helped us develop ways to effectively measure risk using data.
When should an organization think about risk management?
Grant raised the challenge that more than 99% of corporations have less than 1000 employees, so how do they collect all the data they need? Nick explained that the goal is often not to give super precise answers but to give satisfactory answers that will help you form a risk management plan. For example, is the impact a $6,000 impact or a $10,000 impact? That knowledge can help you make a decision on how to proceed. For smaller companies, taking advantage of industry benchmarks along with their own data goes a long way when evaluating risk. According to Nick, “There’s a myth in our industry that you need a lot of data but we have found that most companies have more data than they realize.”
Can small organizations start a risk management program?
Nick suggested that as a CISO, the best place to start is to educate yourself and the rest of your organization about the language used in risk management. Speaking the same language, risk, vulnerability, etc. and everyone having a clear understanding of those terms is a great starting point and will avoid confusion over time. He suggests looking at resources available from the FAIR Institute.
The FAIRTM Institute is a non-profit professional organization dedicated to advancing the discipline of measuring and managing cyber and operational risk.
Understanding the Risk Management Journey
Grant added, "At Ostendio we talk to customers frequently about risk management being a journey and not a destination. Most companies have thousands of assets and many locations. There’s a lot to track and it can be a challenge for an organization. How does the risk management journey start? How do companies build the long-term value of that data resource?” Nick said CISOs don’t have to be granular to do a good job. He suggests they start by focusing on critical assets/risk scenarios. He explains that the 80/20 rule applies in risk management. Your top 20 risk scenarios will drive 80 percent of your risk. When you start risk assessments and sizing your top risk, it is a fast exercise. Nick said he tells companies to focus on top-down analysis, to identify their top assets, and work on those first for the greatest impact.
Grant added that many companies think they are doing risk management but they are actually doing risk assessments. His experience is that many companies are doing episodic risk assessments and thinking they are doing risk management which is instead an ongoing process. Nick agreed that there needs to be a process for risk management, so there is better decision-making. Steps like identifying risk, scoping risk scenarios, analyzing, and quantifying. Once these steps are taken he says companies can then decide whether to accept an identified risk or mitigate it. Nick reiterated how risk decisions need to be made consistently to be effective.
The weather risk example
At Ostendio, Grant likes to share his weather risk example to explain risk management to people who are new to the concept. In his example, he explains that every day we may make an assessment about going for a walk outside based on the weather. Using risk management, we start planning for the weather and we may purchase an umbrella which is our mitigation step. When using an umbrella the impact of getting wet is now reduced. This is the risk management process. For weather, ten years ago there was no risk quantification but today everyone picks up their phone and sees a 30% chance of rain. It is more analytical. The tools presented to the general public through their phones make decision-making easier. In the same way, in industry, there are tools available like MyVCM and RiskLens to simplify the decisions being made around every day business risk. Smaller organizations have more tools available to them to use in a much easier manner.
Finding the right tools to handle risk management
MyVCM helps organizations source, track and manage their data. Ostendio MyVCM includes a functional risk management module. Working with RiskLens there is added quantification analysis. By using these tools, companies have an understanding of their organization’s overall ecosystem, making it easy to build a security program through our platform. It also reaches out to third-party vendors as part of the process giving added data security. Ostendio also brings partnerships with audit firms, so that security audit requirements can be met. Many of the most common frameworks such as SOC 2, FedRAMP, HITRUST need organizations to show some kind of risk management program. Grant added that the days of spreadsheets and risk registers are over. They do not give the level of insight that an effective CISO needs.
RiskLens and Ostendio work with companies every day to help with building risk management programs and quantifying data to be used for risk management. To learn more about RiskLens please visit their website. To learn more about Ostendio, schedule a short demo where one of our experts will explain how the Ostendio MyVCM platform can help your business be always on, always secure, and always auditable.