Reduce Uncertainty Around Risk with Quantification

Media Thumbnail
00:00
00:00
1x
  • 0.5
  • 1
  • 1.25
  • 1.5
  • 1.75
  • 2
This is a podcast episode titled, Reduce Uncertainty Around Risk with Quantification. The summary for this episode is: <p>What does a “high” risk mean to you? What does it mean to your colleague? Does your organization have multiple risks marked as “high” but it’s hard to figure out which one to focus on first? If you answered yes to the last question, risk quantification may be the right fit for you. However, risk quantification has proven to be a popular and complex subject. That is why we invited Bob Maley, Chief Security Officer at Black Kite to talk to us about how risk quantification helps risk pros use quantification to make sense of qualitative data and effectively communicate risk across an organization. Bob is CRISC, CTPRP, and an Open FAIR™ certified risk quantification expert who has led state-of-the-art risk management programs.</p><p>In this episode of GRC &amp; Me, Bob discusses the importance of risk quantification and how it can help organizations make better strategic decisions. We also discuss how Black Kite’s Open FAIR™ based solution calculates the probable financial impacts of cyber breaches and how it communicates risks in quantitative, easy-to-understand business terms so that organizations can risk smarter and with confidence.</p>
What led Bob to Risk Quantification?
01:47 MIN
"High risk" means different things to different people
01:46 MIN
You can be extremely precise, but never accurate
01:21 MIN
Monte Carlo simulation
02:13 MIN
Reporting to the board
01:19 MIN
The tremendous value of FAIR
01:24 MIN
Cyber insurance
01:09 MIN

Megan Phee: Hi, I'm Megan Phee and this is GRC& Me, where we interview industry thought leaders in governance, risk, and compliance, on hot topics, industry- specific challenges, trends, and more. Learn about their methods, solutions, and outlook in this space. Hello, my name is Megan Phee with GRC& Me. Today we sit down with Bob Maley, risk quantification subject matter expert, and Chief Security Officer at Black Kite. Bob has been involved in security for most of his career. Initially in physical security as a law enforcement officer, and as he got involved in the technical side of risk, he acquired a broad range of expertise in all areas of security, from third- party, to risk assessments, to data protection, instance reporting, and beyond. Bob was the former CSO at the Commonwealth of Pennsylvania and most recently, the Head of Global Third- Party Security and Inspections for PayPal. Today, Bob's role at Black Kite encompasses all things security, privacy, and risk. Our companies are mutually aligned in the fact that Black Kite helps their customers make strategic decisions using risk quantification. At LogicGate, we leverage risk quantification in our new'Risk Cloud Quantify' application, to transform risk into strategic advantage for our risk cloud users. Now, here's our conversation on risk quantification with Bob Maley. All right, Bob. Well, thank you for joining us on another episode of GRC& Me.

Bob Maley: My pleasure.

Megan Phee: Let's jump right in. So, tell us Bob, what led you to risk quantification?

Bob Maley: It's interesting. In a previous role at PayPal, one of the things that I was responsible for was all of the global third- party risk.

Megan Phee: Yeah.

Bob Maley: How the information security group worked was, they looked at different risk themes. So, account takeovers, database, a lot of different themes, but one of those themes was third- party. The standard way that they were looking and reporting in risk was a qualitative methodology. When I say qualitative, I mean in a risk matrix, using those terms, high, medium, and low. What was interesting when they first started doing that, everybody was red, it was at high, and in a qualitative methodology, there's only so many things you can do. It was interesting that over time, year after year, that those risk themes, that high risk never changed. It kind of got frustrating for reporting to senior management, how do you compare one thing to another, if you're using a qualitative methodology? There's no way to track, there's no performance. If you're always in red, what's the performance of your program? What's the value if I've gotten an additional funding to add new controls or to do something new and I can't show, in a monetary way, how that has affected that?" Yeah, well, we're going to try to get to yellow."" Yellow is where we want to be." It's really kind of meaningless. It became really frustrating for me, as well as frustrating for some of the other risk leaders. That's kind of led me to finding a better way to do it, and I ran across a book by Jack Jones and the concept about FAIR, and I started educating myself and learning how to do FAIR, and it was something that I saw a lot of future value in.

Megan Phee: Awesome. Now, we talked about this concept on the podcast before. We've talked about what response station is, but can you talk and share with our listeners more about what it's not?

Bob Maley: So it's kind of hard to say what it's not, it's easier to compare. For instance, doing risk in a qualitative methodology, people seem to use math because there's always an underlying math equation and that's how they seem to justify it. That they'll use something like a loss expectancy. So do we think that this is going to happen? How many times this year? They use a single ordinal number and it's a number that, it's essentially a guess, there's not a lot of thought process and it's an expert opinion. It's not based on data, so it involves guessing. Then you use these single numbers that go into a math formula that created an end result that then gets labeled in a range. So when qualitative high is, again, this is all arbitrary, that it may be between this certain range. They like to say," Well we're going to put dollars on that range," because then when we're talking about dollars in this methodology, then a business will understand that. In reality, it's kind of like, what you do is you take rainbows times Pikachu's plus apples, equal unicorns. Everybody knows what a unicorn is and you feel good when you see it, but in a meaningful way, it doesn't reduce any uncertainty around your risk.

Megan Phee: Right.

Bob Maley: That's the key difference is that when you do it in a quantitative way, you're looking at it in a methodical process that reduces uncertainty.

Megan Phee: Mm- hmm(affirmative)

Bob Maley: What I mean by that is when you say it's high risk, what does high risk mean to you? What does high risk mean to the CEO?

Megan Phee: Right.

Bob Maley: What does high risk mean to a board member? What does high risk mean to the CFO? Because of risk appetite, high risk will mean different things to different people. When you're using that single number, you know high, and to be honest with you, when you use a single number, you can be extremely precise, but you're never accurate.

Megan Phee: Mm- hmm( affirmative).

Bob Maley: What I mean by that is I can tell you that a meteor is going to hit the earth and destroy most of the life on earth. Okay. Going to happen. When is it going to happen?

Megan Phee: Yeah.

Bob Maley: I've given a statement that there's no useful degree of precision.

Megan Phee: Yeah.

Bob Maley: It's accurate because it'll happen sometime in the next 5 million years or 10 million, but there's no precision. That's the major difference is when you're doing it in a quantitative way. You're presenting information that allows people that are responsible for the risk to understand it, to have more information, and to reduce their uncertainty. Instead of that single one particular ordinal number you're giving a range and a quantitative methodology gives a range. There's a whole process behind that. But essentially it says here's the minimum and here's the maximum, and here's the most likely, but in between that, it gives a distribution.

Megan Phee: Mm- hmm(affirmative).

Bob Maley: That distribution can then relate to different people that are going to interpret it in their own risk appetite. So that's the value that's essentially, that's the difference.

Megan Phee: Mm-hmm(affirmative) I really appreciate that. Thank you for breaking it down, what it is, what it isn't and reducing the uncertainty. I think that is... That's the critical component. How do you get all of these different varying thoughts about what does high mean to them, and perspectives, and how do you normalize that across the business? Especially across different experiences too. Very great. When we talk about risk quantification, we often reference to the Monte Carlo simulation. Can you explain for those that are less familiar with what the Monte Carlo simulation is for our listeners that are just less familiar, haven't heard it or have heard it, but didn't really know what that meant.

Bob Maley: Well, it's interesting. Obviously Monte Carlo is a casino in Europe, but a Monte Carlo simulation is not just simply gambling or betting on odds or things like that. It's a little bit more in depth. If you really want to know more about it, I highly recommend doing an internet search and read the story behind it, but we don't have enough time to talk about the story of how it really got developed. Essentially it was developed around the time of World War II on something called the Manhattan Project. The Manhattan Project were the scientists and the folks that were inventing nuclear bombs, it was the atomic bomb and how they developed it. They were looking for a methodology to be able to do calculations about combination of elements that create explosion.

Megan Phee: Mm- hmm( affirmative).

Bob Maley: When you're talking about explosions of that magnitude, you're not going to go," Oh well, let's do some of this and some of this and see what happens." One of the mathematicians on the project, he developed a process where you could take information that was based on ranges. In other words, it wasn't something that was a methodology where it's Pikachu's times rainbows. It is where you take information that you know, and you have a certainty about it.

Megan Phee: Mm-hmm(affirmative).

Bob Maley: In that as well, it's somewhere between this amount and that amount. We're pretty confident it's going to be somewhere around here. So you've established that information. What Monte Carlo does, then it goes and does mathematical simulations using those range inputs in the confidence levels and then it has an output. It's a probability study. It's a mathematical probability study that will then produce that distribution chart that I talked about. It'll tell you what the most likely is and the minimum, the maximum and along that distribution, what the likelihood is for different amounts.

Megan Phee: Mm- hmm( affirmative).

Bob Maley: So when it's presenting information, it reduces the uncertainty because it gives you a broader picture and understanding about what you're trying to do. It's named Monte Carlo, not because it's gambling, but because of the gentlemen who put the concepts together had an uncle who liked to gamble at Monte Carlo. It just that's what he named it. It's a interesting story. You have to look it up.

Megan Phee: Yeah. That is a really interesting story. Thank you for debunking that, the relation to the casino. That's really interesting. I know that you have firsthand experience with this. Can you share some stories from your experience about how risk quantification has helped GRC professionals make strategic risk decisions?

Bob Maley: I can, and I can tell you one place where it didn't work.

Megan Phee: Yes!

Bob Maley: I left PayPal before we had a chance to really implement that.

Megan Phee: Okay.

Bob Maley: The GRC folks were very committed to the qualitative methodology, and it can be very challenging to shift from that qualitative to quantitative methodology.

Megan Phee: Yeah.

Bob Maley: To be honest with you, when I first looked at this, I'm not a mathematical genius. Math was one of the classes in school that I always hated. I did the least amount possible to get through because it just something, it wasn't an area that interested me. I always thought that, you can't predict things through math. These things don't work. In reality, I've learned over time that a lot of systems, when you looking at getting life insurance, actuarial studies on data, about probabilities of somebody dying with certain data indicators at a certain age, and it prices insurance, mortgage. Everything's based on that.

Megan Phee: Oh yeah!

Bob Maley: So personally from there, I didn't have that opportunity. Today, I do at Black Kite. I use a FAIR methodology for enterprise. I use our Black Kite platform for all of our third- party because it's automated.

Megan Phee: Great.

Bob Maley: Really for me, it's impactful because when I report to a CEO or I do a board report, I'm speaking in financial impact. The board was saying," Oh, well, third- party. That's, here's how much we have in third- party risk. Do we have cyber insurance that covers that?" In other words, it sparks business decisions. We have one of our customers that they really became interested in FAIR because of some of the similarities that I had at PayPal. They wanted to be able to understand, for them, it was more along the lines of," We have more vendors than what we can realistically do deep dive assessments." Is there a way how we can understand which one of those are the most impactful? Impactful means, what's financial impact? So that the FAIR process allowed them to essentially triage those, and spend time on those that were the most impactful to do the things that you really should be doing in a mature third- party risk management program or at enterprise risk as well. It kind of morphed into a little bit more than that because when they started reporting differently, instead of reporting in a high, medium, low, they started reporting in financial impacts. The board became extremely interested and understanding.

Megan Phee: Yeah.

Bob Maley: That can be a danger because they're going to want to understand how you've come up with that particular financial impact.

Megan Phee: Mm- hmm(affirmative).

Bob Maley: The tremendous value of FAIR is that easy to explain because there's so much history. You know, Jack Jones has been worked on this for 20 years. There's documents, there's books, there's training. There's so much to back you up to help them understand that. Especially for the board, it's their world. Their world is risk. In the board's world, risk means it's either financial impact or financial reward. Risk or reward. When you're speaking that language one time, you have to explain to them how you came to that and they understand that. Then it's a different world. It's a different relationship. In this particular client, the board, they wanted to consume more information every month. They wanted updates every month. Most CSOs I know they hate to report to the board about third- party or about risk in general, because they have to be the interpreter.

Megan Phee: Mm- hmm( affirmative).

Bob Maley: They're reporting in high, medium, and low. The board has to trust the CSO that he understands what that high impact really means. Sometimes it's a little risky, especially when high, medium, low, really doesn't tell you what that is. For this particular customer, that was a game changer from two aspects, the triage, because as you're aware, as everybody that does risk or third- party, we all know we don't have unlimited budgets. We don't have an unlimited staff. So it gives them that capability to triage, then to report up to the board.

Megan Phee: I think as GRC professionals, we want the board level visibility, awareness, and support but then you have to, to your point, be prepared for the scrutiny that it may follow. So being able, and I know we talked about this offline, this is why, I still respect the FAIR methodologies because it does, it eliminates that black box. You can actually articulate and confidently present the how, the why, the what, behind the numbers that you're presenting. That is the biggest thing as you step into this next level of maturity, for a lot of folks in their risk program. You got to be able to defend the numbers, right. How do you do that if you can't really figure it out? So that's why we at LogicGate kind of gravitated to that and really, really respect that methodology because of that. It just makes it removes, debunks the magic.

Bob Maley: Absolutely. The secret sauce, so to speak.

Megan Phee: Exactly.

Bob Maley: That's one of the things that got me interested in Black Kite in the beginning is that everything, the technical evaluations, the compliance, the FAIR, it's all done with open standards. I've been in a situation where I took a report on a vendor that was high risk to the business unit to help them understand, well, it's really a lot of risk for us, for you to use this vendor. The business owner said," What does high risk mean?".

Megan Phee: Oh boy.

Bob Maley: Then I'm back on my heels trying to explain, well, there's these vulnerabilities. We can have a data breach. What does that mean? This vendor, they do so much for our company. They're making a lot of money for us. So is it high risk? What does that really mean? I wasn't on that same business level with the business unit owner. That's why using the FAIR it puts you on that same level. Totally different conversation when you're talking the same language.

Megan Phee: Same common interests of that dollars and cents, right?

Bob Maley: Exactly.

Megan Phee: Fantastic. Well, thank you so much. Were there any other stories that you think would be meaningful to share today?

Bob Maley: In today's world and cyber, especially with all the stuff going on around ransomware, cyber insurance. Everybody's talking about it, you need to have cyber insurance. Then how do you go about getting cyber insurance? Because how do they evaluate you from a cyber perspective? Cyber insurance companies are starting to use a rating services for that. One of our companies, our clients, Markel Insurance, they came on early with us as a consumer for self- monitoring and third- party, but when their underwriting teams started to see the value of what they could look at when they were underwriting a policy. There's a lot of data that goes into underwriting those types of policies, but the uncertainty around, how susceptible are they to something? What is the real financial risk? When they can use a fair number of financial impact, that dollar range, it enables them to make those underwriting decisions, it increases the precision. It helps them in their business. So tremendous value to them.

Megan Phee: Thank you for that. Bob, we've talked a lot today about risk qualification, what it is, but it isn't. How math is really the underpinning to so many of the things in our daily lives and how the FAIR methodology really can give folks confidence to articulate the financial impact and the work that you're doing here at Black Kite. Thank you so much for joining us today. For those listening, to learn more about risk cloud quantified visit LogicGate. com to check it out. Thank you again, Bob, for joining us.

Bob Maley: My pleasure.

Megan Phee: So this is Megan Phee with another episode of GRC& Me. If you're interested in learning more about risk quantification, you're in luck because LogicGate just released a new e- book,'The Definitive Guide to Risk Quantification', to help you understand how risk quantification works, how it can enhance your organization's risk management capabilities, and more. If you don't have time to sit down and read it, that's okay. We've created an audio book version, so you can access it from anywhere and it gets better. We included an interactive workbook, so you can apply the things you've learned and get started on your own risk quantification journey. We'll drop a link in the show notes below, and you can download all three today. Until next time, this is Megan Phee with GRC& Me.

DESCRIPTION

What does a “high” risk mean to you? What does it mean to your colleague? Does your organization have multiple risks marked as “high” but it’s hard to figure out which one to focus on first? If you answered yes to the last question, risk quantification may be the right fit for you. However, risk quantification has proven to be a popular and complex subject. That is why we invited Bob Maley, Chief Security Officer at Black Kite to talk to us about how risk quantification helps risk pros use quantification to make sense of qualitative data and effectively communicate risk across an organization. Bob is CRISC, CTPRP, and an Open FAIR™ certified risk quantification expert who has led state-of-the-art risk management programs.

In this episode of GRC & Me, Bob discusses the importance of risk quantification and how it can help organizations make better strategic decisions. We also discuss how Black Kite’s Open FAIR™ based solution calculates the probable financial impacts of cyber breaches and how it communicates risks in quantitative, easy-to-understand business terms so that organizations can risk smarter and with confidence.