
As a Founding Advisory Partner to the FAIR Institute, Protiviti believes connecting with colleagues through forums such as FAIRCon is essential to the advancement and growth of the cyber risk quantification practice.
Our session, Factoring Risk in Decision Making, featured Protiviti’s Vince Dasta and FIS Global’s Matt Kruse, and explored real-life example on reporting cyber risk to the board. Connect with our team to discuss key takeaways here.
A major cybersecurity event can dissolve millions of dollars in assets and tarnish even the strongest company’s reputation. As cybersecurity concerns grow and evolve, companies need to be prepared for the inevitable cyber-attacks with strong defenses to identify breaches and minimize damage. But how does leadership know where to invest in cybersecurity? How much is at risk? What should be prioritized? The answer lies in Cyber Risk Quantification (CRQ).
Cyber risk quantification uses industry leading and highly vetted probabilistic models to more accurately describe the cyber security and technology-based risks facing an organization. Protiviti has been quantifying cyber risk since the beginning. Leveraging Subject Matter Experts (SME), such as business users, asset owners and key technical experts that may not have been previously included in cyber risk assessments; while taking data readily available to these SME’s, we are able to gather data more rapidly and make more accurate measurements for each factor within a given risk.
As a Founding Advisory Partner of the FAIR Institute, and a partner of RiskLens, the leading software as a service based on the FAIR model, the team at Protiviti is comprised of all levels from varying backgrounds, all specializing in quantifying risk. Typical engagements can range from a small scoped engagement, lasting a couple of days, all the way to a full program transformation and even maintenance.
Leveraging quantitative modeling empowers an organization to fully understand the risks they are faced with in business terms. This allows for budgetary justification, re-prioritization and full delivery and support at the highest levels. Implementing a Quantitative Risk Management Program doesn’t need to be a long, tedious or heavy obstacle before truly gaining useful results. Components of a program can be implemented at various stages to make the most impact for each organization. Common projects to accomplish before completing a program transformation are:
Top Risks Identification: Top cybersecurity risk scenarios are identified through an interview and data gathering process to conduct a specialized rapid assessment of each risk scenario. Aggregating contributions from security tools and teams along with key business leaders and stakeholders allows for quantification of top risks in business terms.
Tactical Risk Quantification: Tactical analyses can be done to identify risk exposure to a given scenario or multiple associated with a given asset. Objectives such as ROI or risk tolerance levels can be achieved, especially when conducted in parallel with the broader program initiative. Once these are identified, a thorough analysis is completed, leveraging data as well as SMEs and business leaders.
Risk Aggregation and Trending: Aggregation can be used to identify systemic risk exposure around any number of scenarios (i.e. assets, control changes or initiatives that may change the risk exposure, departments, programs, or even an organization as a whole). Trend reporting can be done any time to show the change in loss exposure over time allowing organizations to show risk reduction ROI.
Program Advisory: The key to a successful risk quantification program is scale and sustainability. Protiviti can help with all aspects of a risk quantification program from defining initial program goals, socialization and training to operationalizing risk quantification within your organization by identifying use cases and implementation of changes across the organization to derive value from this new capability.