How to Describe to Your CEO the Benefits of RiskLens, FAIR and Cyber Risk Quantification in 3 Minutes

June 16, 2020  Jeff B. Copeland

CISO and CEO One CISO tells the story of a hallway encounter with the CEO of the organization and using his few minutes of close-up time to brag about the [fill in a very large number] spam and other attacks his team had blocked in the last 30 days. “Isn’t that your job?” the CEO snapped.

RiskLens has a better elevator/hallway success story you can tell your CEO, if you’re running a quantified risk management program based on the FAIR™ standard and the RiskLens platform – a story that lines up with CEO-level concerns. According to the most recent Gartner report on CEO priorities, the top three concerns are:

1.  Growth

2.  Corporate Development

3.  Financial Management

And let’s update those CEO concerns with a new one:

4.  Survival/Adaptation in the Pandemic

Now, let’s craft a 3-minute pitch that lines up under those headings (to be customized to your organization’s current initiatives).

The setup:

“We’ve implemented a quantified cyber risk management program – meaning, we’re looking first to financial metrics, not technical ones, to judge our success. It’s based on the FAIR model, the international standard for cyber risk quantification, and running on the RiskLens platform, the leading software and services provider for cyber risk quantification and management.”

Growth Benefits

“Because RiskLens features a rapid risk assessment capability, our risk team is now fully embedded in the development of our [fill in the digital disruption initiative of your choice] – we are able to estimate the impact of probable cyber risk and give direction of security investment before we launch, saving the company from costly surprises.”

Corporate Development Benefits

“One of the advantages of bringing the FAIR model to our organization is that it introduces a common, non-technical vocabulary to talk about cyber risk – and it’s in financial, dollar-cost terms that everyone in the organization understands. It’s also compatible with the way we handle financial, operational and market risk so it truly brings cyber into the fold of all our enterprise risk management. Legal will love FAIR, too: We’ll give them the ability to respond to the increasing demands from regulators like the SEC to disclose cyber risk in financial terms. And we’ll be able to make a business case for investing in privacy rules compliance vs. potential fines or court judgments.”

Financial Management Benefits

“Because it considers cyber risk in financial terms, the RiskLens/FAIR approach focusses all discussion on cyber risk management in bottom-line, ROI terms. This has advantages up and down the organization, from the board and senior management levels, where we can now answer the questions about how much overall cyber risk the organization faces and how it lines up with our risk tolerance…down to the auditor level, where we can quickly judge everyday audit findings on a cost/benefit basis for whether our remediation effort would be worth the risk reduction in dollars.”

Pandemic Adaptation Benefits

“With the rapid risk assessment capability of RiskLens, we were able to quickly identify the top 40 probable risks of distributing our workforce, then focus for deeper analysis on the top three. We found that our largest loss exposure was around our VPN servers, and were able to target responses there first in a cost-effective way. leading to a [fill in your seven-figure dollar number] reduction in risk.”

OK, so you may not get 3 minutes of talk time before your CEO gets pulled away. As a fallback, just pop up on your phone a RiskLens report like this one and say “Look! Now we know what our top cyber risks are in dollar terms!”

Top Risks Report from RiskLens