Lunch and Learn: How to Introduce Cyber Risk Quantification (CRQ) to Your Organization

A successful quantitative cyber risk management program begins with lunch – more specifically, a Lunch ‘n’ Learn or other roadshow event to introduce to stakeholders the concepts, benefits, and practical details of launching a CRQ program or capability. As part of a RiskLens launch, our team members typically lead the first one or two of these events and then hand them off to clients, who know their audience well.

Why this approach? Because any new initiative builds best on a foundation of consensus and because introducing CRQ is a cultural change. That’s “change” not “revolution” – the goal is to enlighten existing decision-making processes with better data and a more objective analysis of risk.

Let’s cover some typical agenda items for a CRQ L ‘n’ L or other introductory event: 

Chad Weinman is Vice President, Customer Success, at RiskLens leading the team and strategy to ensure RiskLens customers realize the maximum potential value of cyber risk management solutions.

What Is Cyber Risk Quantification?

CRQ – sounds technical; but it doesn’t have to be. The goal is to bring a more objective data-driven way of measuring risk that also translates cyber into business terms.

Understanding risk quantification can be broken down into 2 important parts:
1.) The model. We are based on the Factor Analysis of Information Risk (FAIR™). This standard model has been around for well over a decade, meaning its been tried and tested. It’s a solid, industry standard to build from.

2.) The data. We then apply the data to the model. This is where we should ensure ket stakeholders understand that risk quantification doesn’t require excellent data. Rather, it allows us to leverage solid data when we have it and to properly assess risk when our data is lacking. Further, when working with RiskLens, the industry and benchmark data are a fantastic launching point for your program.

Once they understand the model (high level) and how we appropriately apply data to that model; we’ve make great progress!

We enter this data in the RiskLens platform, then run thousands of Monte Carlo simulations on our scenario to generate a range of probable outcomes for annual risk (or loss exposure in dollars) with results like this: 

Nice Chart. But What Are the Benefits of Cyber Risk Quantification? 

A range of probable outcomes gives decision-makers an opportunity to respond to a risk based on how much loss exposure they want to take on.  But more importantly, we’re now operating on a dollar basis and can compare this risk to others in or out of cyber, as well as compare the effect on risk reduction for investing in a new security technology or control.

The use cases of CRQ will vary by organization but through our experience we have many “stories from the field” to share on successes and how it brought value for

• First-line defenders assessing controls to deploy
• Risk managers seeking to prioritize a risk register
• Leaders of digital transformation projects that could drive the organization’s strategy forward
• CFOs or C-suiters looking for a view of risk by line of business
• Board members looking to exercise due diligence on the overall risk posture of the organization.

Vary your Lunch ‘n’ Learn agenda by your program’s objectives and your event’s audience. 

We’re Starting from Zero. How Can We Do CRQ in a Practical Way?

To get started in a very basic form you need to focus on the 5 P’s of FAIR Program Enablement…

Purpose: Your program governance and objectives
People: Training your key analysts and risk team on risk quantification and FAIR
Platform: The foundation for your program and engine you will work in daily
Process: How we integrate this into your organization and/or operationalize your program
Performance: Ensuring we make CRQ scalable

We have a decade of experience and many large enterprise deployments that have helped us craft and communicate various strategies and lessons learned. We can help develop an enablement roll-out plan with you.

After Launch, Keep Up the Communication 

Your stakeholders will stay engaged if they understand the “WHY” behind your work and how it will be used by the business. Celebrate the wins, the decisions your analysis work has supported. And keep up the lunch invitations.

RiskLens is the leader in cyber risk quantification. Learn about our Enterprise SaaS Platform and our Managed Services.