You’re all fired up about Factor Analysis of Information Risk (FAIR™) and eager to bring the transformative power of cyber risk quantification to your organization—but for now, you’re a voice crying in the wilderness of red-yellow-green heat maps and other qualitative attempts at risk analysis. Others have gone before you – and here’s some advice from industry veterans on first steps and entry points to generate support for FAIR, drawn from our blog posts.
Before you roll out your campaign to the wider organization, be sure to make yourself as expert as you can on the FAIR standard:
--Read the FAIR book, Measuring and Managing Information Risk.
--Take FAIR training
--Read An Adoption Guide for FAIR, the e-Book by FAIR standard creator Jack Jones.
1. Explain FAIR at a High Level to Start
"We basically try to abstract the concepts of FAIR to a much higher level so conceptually it is easy to digest. If we need to, we step into a further level of detail which would involve using the full model. We found this two-stage model to be a lot more effective than trying to educate on the full ins and outs of FAIR on the first go."
2. Explain FAIR with Use Cases Your Audience Understands
“It took some analyzing of scenarios that our executive audience was very familiar with. In our particular case it’s the mortgage industry. So instead of focusing on analyzing scenarios that had something to do with information security, I focused on stuff that had to do with the mortgage industry. Then we could overlay risk-related numbers on top of that, which they also understood – the language of dollars.
3. Make It about Their Needs, Not Yours
“We say let’s think about the business that you have, the operations you have, and let’s use a risk-based approach to prioritize what you should do in the interest collectively of the agency and the federal government. That flips the conversation.”
4. Don’t Wait for Permission or Perfection. Start Running Analyses that Demonstrate Your Work
“We didn’t need the perfect methodology; we didn’t need the perfect set of metrics. We just needed to do the work… to start doing analyses. We needed to start talking to people about initiatives and processes we could apply it to…We built experiences that tell our story…and then the policies and procedures are falling out naturally from how we actually did the work not how we thought we should be doing the work.”
5. For Quick Wins, Insert FAIR Analysis as a Value-add into Ongoing Processes and Programs
“Look for simple things like security exceptions, purchase decisions, control decisions.”
6. Build Support by Positioning FAIR Analysis as a Value-add for Compliance
“There’s a difference between them doing the process because they have to vs. them getting real value in return for that engagement, where they come us saying ‘I have a couple paths I have to take, help me decide which has the most manageable risk for the company’…They do that because they want to.”
7. Look for Internal Clients with Something to Prove
Tony found his first internal clients by looking for teams that had recently made security investments and offering to run a cost benefit analysis to see if it was working. “I have never had anybody turn me down.”
8. Look for Internal Clients in Pain
“You need to gauge the level of pain they are in as it relates to wanting to truly understand and manage their information or cyber risk. Organizations that have either been given a directive from their board, had some of the risks manifest into actual incidents or are struggling to effectively manage information/cyber risk are more receptive to other models instead of traditional qualitative models.”
9. Establish FAIR Terminology as the Standard for Discussing Cyber and Tech Risk
“I made it a requirement that every single director and manager within the security program had to take the certification. Then that becomes the common language that we can use to talk to each other…Whenever we do FAIR training, at least 15% of the trainees have to be from outside the security team.”
10. Risk Registers Are Often a Mess – Look to Help with Straightening Up
“We started with the big list of risks that everybody has” (audit findings, pen test findings, etc. ) “and normalized it” by finding the asset in question, creating a risk scenario, then performing risk quantification to come up with a ranked list.”
11. Take It to the Next Level: Find an Executive Sponsor to Pave the Way to Wider Acceptance
Take “even an hour to show a senior stakeholder the lens through which FAIR views the world and how this is a way to be far more effective as a security operation.”
12. Understand that You Have Started on a Journey
“You should approach it in an agile fashion. You shouldn’t expect that big bang output. Look at it as a journey and a journey you need to bring all of your partners along to be successful.”