In the dynamic world of cloud security, risk management is a cornerstone of a robust security posture. But with various methodologies and frameworks available, how do security leaders effectively assess and mitigate risks? To gain deeper insights, we sat down with Joseph Haske, a Risk Manager at PipeDrive, whose unique background in actuarial and financial engineering, combined with his experience as a US Navy veteran, provides a compelling perspective on the challenges and opportunities in the field.
Haske, who transitioned into security from a data science background, was initially hired to build a risk management team at PipeDrive. This experience has shaped his views on the importance of adaptability and a continuous learning attitude. A typical day for him involves extensive conversations with people, participating in the AI use case review board, and working asynchronously on documentation, risk reports, and process procedures.
A key takeaway from Haske’s journey is the paramount importance of communication. He credits his time in the US Navy with instilling a disciplined approach to communication, emphasizing clarity and understanding. He recounts an anecdote from his Navy days where the rules were so rigid that words like “increase” or “decrease” were replaced with “going up” or “going down” to avoid confusion. This same principle, he argues, is vital in security, where practitioners often need to communicate complex concepts to non-technical stakeholders. This requires understanding the priorities and language of different departments like sales, marketing, and legal. This cross-functional understanding is akin to a submariner’s need to know the entire submarine, not just their specific area.
You can read the complete transcript of the epiosde here >
The Two Pillars of Risk Analysis: Qualitative vs. Quantitative
The conversation with Haske centered on the age-old debate between qualitative and quantitative risk analysis. While some argue for the necessity of quantifying everything, others believe that certain security aspects are better suited for a qualitative approach. Haske offers a nuanced view, highlighting the strengths and weaknesses of each methodology.
Qualitative Risk Analysis: The Decision-Making Framework
Haske views qualitative risk analysis not as a mere measurement of risk, but as a decision-making framework for the organization. The primary strength of this approach is its accessibility and ease of use. It’s a method that people can easily understand without being intimidated by complex mathematics. By using a qualitative approach, organizations can standardize how they discuss decisions, ensuring everyone is on the same page. For instance, a risk with a high impact and likelihood might be designated for a CEO’s decision, while one with a lower impact and likelihood can be decided by a different leader.
However, the significant weakness of a purely qualitative approach is that it doesn’t truly measure risk; it measures the “feeling around the topic”. It can also suffer from inconsistencies. For example, a scale from one to five might lead to a score of five for both an impact of one with a likelihood of five, and vice versa. Haske emphasizes that organizations must be aware of these inconsistencies and not treat the framework as the ultimate authority. To implement a qualitative framework successfully, Haske suggests a continuous, subtle reinforcement of the underlying thought process. Instead of explicit training, he frames the conversation around “who do we need the decision from?” which allows team members to naturally adopt the desired mindset.
Quantitative Risk Analysis: The Power of Digging Deeper
In contrast, quantitative risk analysis is the preferred method when an organization wants to “dig in” and understand the dynamics of how a risk is operating. This approach is particularly useful when expert intuition is lacking or uncertain. A quantitative approach, like the FAIR (Factor Analysis of Information Risk) model, focuses on getting an accurate answer, even if that answer is a broad range, such as a potential loss of one to ten million dollars. It allows organizations to use more of the data they have to build a more certain model.
From a philosophical standpoint, quantitative analysis prioritizes accuracy and a deep understanding of potential monetary losses or other metrics, such as hours spent or computational resources. It can provide a probability distribution, such as “a $100,000 or more loss is likely in 5% of scenarios,” which is a much more mathematical and compelling perspective than a qualitative statement.
The Hybrid Approach: A Practical Solution
For a growing startup, Haske recommends starting with a qualitative framework to build the “risk conversation muscle”. However, he cautions that it’s easy to get stuck there and miss out on the benefits of a quantitative approach. A hybrid approach, where organizations begin to incorporate quantitative data like the number of incidents or their associated costs, can be a valuable middle ground. This allows a company to maintain the ease of use of a qualitative model while digging deeper when the data and confidence are available. Ultimately, Haske believes that if an organization has the resources for a quantitative approach, it’s the ideal place to be, as relying solely on qualitative analysis means missing out on a lot of information.
Peer Review and Collaboration: The Human Element
Haske is a strong advocate for peer review of risk assessments by stakeholders from different business areas. This process is crucial because people have vastly different perceptions of what constitutes a “high risk”. By taking a set of assumptions to a diverse group and getting their agreement, a risk manager can gain assurance that their conclusions are correct. He shares a personal anecdote where a peer review saved him from presenting a flawed assessment to executives.
Implementing such a process in a large organization can present challenges. One potential problem is a lack of close collaboration among reviewers, leading to ineffective feedback. Another is the “too many chefs in the kitchen” scenario, where a large risk steering committee with representatives from different departments might be deadlocked by competing agendas. To tackle these issues, Haske recommends being deliberate about who peer reviews the assessment, choosing individuals who are both close enough to the subject matter to provide an effective review and impartial enough to avoid conflicts of interest.
Haske also emphasizes the importance of managing the “cumulative ask” from different departments. Security leaders must be intentional about how they introduce new priorities and be clear when something isn’t a high priority, acknowledging that other teams have their own non-security-related initiatives.
The Future of Risk Management
Looking ahead, Haske anticipates a significant shift in the field. He believes that standards will increasingly move towards requiring quantitative risk analysis. Drawing a parallel to other industries like credit and life insurance, he notes that they have all hit a quantitative requirement, and he believes cybersecurity risk is not far behind.
To prepare for this shift, security leaders should start incorporating quantitative metrics wherever possible. Simple measures like the number of incidents or their associated costs can significantly enhance the quality of risk assessments and make them more compelling to stakeholders. A statement like, “We had an incident, and it cost this much money,” backed by data, is far more impactful than a simple qualitative assessment.
Haske also addressed the challenge of assessing risks associated with emerging technologies like AI and quantum computing. He asserts that the underlying risk framework remains effective, even if the time horizon differs. The key is to stay updated on the new technology, understand the surrounding laws, and identify potential vulnerabilities.
Building a Culture of Risk Management
Ultimately, building an effective risk management program is not just a security team’s function; it requires buy-in from the entire organization. Haske highlights two pillars for building a strong risk culture.
- Continuous Explanation: Security leaders must be willing to “explain, explain, explain” the risk management program. By continually talking to people and providing “micro-trainings,” they can ensure that the framework is understood and adopted throughout the organization.
- Excellence in Execution: By doing the program “really well,” and creating compelling, well-documented risk reports, other departments will see the value and want to replicate the process. When the program is successful, other teams will no longer need to be convinced; they will actively seek out the security team to get involved.
This collaborative approach, built on strong communication and demonstrable value, ensures that risk management becomes a shared responsibility rather than a siloed function. As Joseph concludes, it’s about helping other leaders see the value of a security risk management program, so they are not just informed but actively contribute to it.
Final Recommendation
For those looking to deepen their knowledge of risk management, Haske recommends the book Measuring and Managing Information Risk, a FAIR Approach by Jack Grund and Jack Jones. He considers it a comprehensive and balanced resource that provides a structured approach to standing up a risk management program
