February 20, 2024
Cyber Risk

What's Risk Management Maturity?

Simple answer: ‘To cost-effectively achieve an acceptable level of risk.’ Learn how to get there.

By Jeff Copeland

"We're not very mature" - it's a statement we hear in many conversations with information security professionals, despite the technological skills and proliferation of risk management maturity assessment tools in their organizations.

Jack Jones, creator of the FAIR™ standard (Factor Analysis of Information Risk), once commented on the subject that "Where we are as a profession is like doctors still relying on bloodletting." Which is to say, there's plenty of room for process improvement in the way most businesses approach risk mitigation.

As Jack sees it, common risk maturity assessment models in the profession are missing the point by focusing on what he calls "lagging indicators" - technologies or processes we can check off on a list.

Those models don't have a clearly defined meaning of maturity - a higher score is simply better than a lower score. "They don't really define what maturity represents," Jack says. "Many of us know organizations that score reasonably well on common risk maturity assessments but have significant difficulty prioritizing well or executing reliably."

Healthy risk governance relies on continuous improvement and a model that quantifies risk events in financial terms to inform business strategy. Jack pioneered the FAIR model to give a solid foundation for prioritizing and communicating cyber and technology risk management through quantifying risk in financial terms.

What Is Risk Maturity?

Risk maturity is the ability to "reduce noise and focus more effectively on truly high-risk concerns, choose cost-effective solutions for the risk management priorities, and execute reliably," Jack explains. An organization with a high level of risk maturity knows what their risk appetite is and what effective risk management looks like.

Key Concept:
"A mature organization is one that can cost-effectively achieve and maintain an acceptable level of risk."
-Jack Jones

In many engagements building programs for cyber risk quantitative management (CRQM), we have developed a working list of the capabilities and functions of a mature organization:

Cyber Risk Management Maturity Markers

  1. Cyber Risk Management Program Governance and Performance

    A mature risk management effort centers on a well-conceived program with milestones for near and long-term performance. A good starting point is a program charter that lays out the

    1. Program Purpose
    2. Key Stakeholders and Reporting Cadence(s)
    3. Program Capabilities
    4. Measurement of Progress and Success

    For instance, a charter might set first-year goals of socializing cyber risk quantification in the organization, quantifying cyber loss exposure in the aggregate and by business unit, defining a risk appetite, defining specific risks, and running cost/benefit analyses. The charter might also define how the cyber risk management program would report and coordinate with the Board, the risk committee, enterprise risk management, security operations and other stakeholders.

    Key Concept:
    Introducing cyber risk quantification will be a cultural change in most organizations that typically have looked at cyber risk management as a compliance task. Carefully communicate the processes and value of CRQ to your stakeholders.

    Built on Open Standards

    A mature cyber risk management program commits to operate on (or be compatible with) open standards – no black box proprietary systems. Examples:

    1. FAIR™, the standard for risk quantification, and related models FAIR Controls Analytics Model (FAIR-CAM™) and FAIR Materiality Assessment Model (FAIR-MAM™)
    2. MITRE ATT&CK for threat analysis
    3. NIST or ISO standards for controls inventories

  2. Cyber Risk Quantification (CRQ)

    Mature organizations analyze and treat cyber risk as loss exposure in the financial terms that the rest of the business uses – no cyber-technical speak. FAIR analysis quantifies the two key elements of cyber risk: incident frequency (or likelihood) and magnitude (or impact).

    FAIR analysis always focusses on a risk scenario with a threat affecting an asset resulting in a quantifiable effect. The discipline of scoping a risk scenario ensures analysts will be specific in the problem they are trying to solve and not wander off topic, particularly when they gather data. The resulting quantified likelihood and impact sets the team up to develop an actionable mitigation plan to measurably reduce loss expectancy.

    Key Concept:
    Risk scenarios are the basic units of CRQ and should be concise and accurate expressions of a problem the business needs to solve.

    CRQ in Real Time

    Many organizations run risk analysis as a quarterly or even yearly exercise at one point in time that, in the fast-moving cyber risk landscape, has limited shelf life. Mature organizations run CRQ with live feeds of the signals that most matter - vulnerability management, EDR, cloud configuration, leaked credentials, phishing, threat intelligence, controls status – for a continuous view into risk posture.

    Key Concept:
    To reach its full potential, cyber risk quantification requires automation.

    Reporting in Terms the Business Understands

    A mature reporting system is not only quantified and instantly available but presented to business stakeholders consistent with how the business views itself. Executives, board members or analysts should be able to see a report that is tailored to their needs, quantifying risk by business unit, product, application, an aggregated look at the entire enterprise or other parameters.

  3. Decision Support

    The first deliverable of a quantitative cyber risk management – and likely the most common going forward – is a top risks analysis: ranking a set of risks by likelihood and impact in financial terms. Many of the benefits of CRQ flow from this analysis. Examples include:

    1. Project prioritization for risk burndown
    2. Direction for budgeting and investment in security
    3. Identification of material risks for reporting to regulators.
    4. Cost benefit or ROI analysis for mitigating top risks for risk reduction
    5. Tech rationalization, also based on ROI
    6. Assessing insurance coverage vs where it’s most needed
    7. Comparing to industry benchmarks – to understand our own performance
    8. Looking to see if top risks concentrate in one business unit, geo, or product indicating some operational problems
    9. Is our risk concentrated on one type of threat actor or attack vector?
    10. How the program does over time on reducing risk.

    Key Concept:
    One of the most difficult tasks in quantitative cyber risk analysis is to understand the role that cybersecurity controls play in determining the susceptibility of the organization to attack, a critical factor in determining loss event frequency or likelihood. With the assistance of the FAIR Controls Analytics Model (FAIR-CAM) mature organizations can solve the susceptibility analysis problem. Learn more about FAIR-CAM.