FAIR Institute Blog

12 Bits of Advice from FAIR Veterans to New FAIR Evangelists

[fa icon="calendar"] Nov 5, 2020 11:09:57 AM / by Jeff B. Copeland

Omar Khawaja Highmark Health FAIRCON 2018 2You’re all fired up about Factor Analysis of Information Risk (FAIR™) and eager to bring the transformative power of cyber risk quantification to your organization—but for now, you’re a voice crying in the wilderness of red-yellow-green heat maps and other qualitative attempts at risk analysis. Others have gone before you – and here’s some advice from industry veterans on first steps and entry points to generate support for FAIR, drawn from our blog posts.  


Before you roll out your campaign to the wider organization, be sure to make yourself as expert as you can on the FAIR standard: 

--Read the FAIR book, Measuring and Managing Information Risk

--Take FAIR training

--Read An Adoption Guide for FAIR, the e-Book by FAIR standard creator Jack Jones. 


 

1.   Explain FAIR at a High Level to Start

"We basically try to abstract the concepts of FAIR to a much higher level so conceptually it is easy to digest. If we need to, we step into a further level of detail which would involve using the full model. We found this two-stage model to be a lot more effective than trying to educate on the full ins and outs of FAIR on the first go."

--Jason Ha, PwC Australia 

 

2.   Explain FAIR with Use Cases Your Audience Understands 

“It took some analyzing of scenarios that our executive audience was very familiar with. In our particular case it’s the mortgage industry. So instead of focusing on analyzing scenarios that had something to do with information security, I focused on stuff that had to do with the mortgage industry. Then we could overlay risk-related numbers on top of that, which they also understood – the language of dollars. 

--Keith Weinbaum, Quicken Loans

 

Cody Scott - NASA - FAIR Conference 2020 - Featured3.  Make It about Their Needs, Not Yours

“We say let’s think about the business that you have, the operations you have, and let’s use a risk-based approach to prioritize what you should do in the interest collectively of the agency and the federal government. That flips the conversation.” 

--Cody Scott, NASA

 

4.  Don’t Wait for Permission or Perfection. Start Running Analyses that Demonstrate Your Work

“We didn’t need the perfect methodology; we didn’t need the perfect set of metrics. We just needed to do the work… to start doing analyses. We needed to start talking to people about initiatives and processes we could apply it to…We built experiences that tell our story…and then the policies and procedures are falling out naturally from how we actually did the work not how we thought we should be doing the work.”  

--Emery Csulak, DOE 

 

5.  For Quick Wins, Insert FAIR Analysis as a Value-add into Ongoing Processes and Programs 

“Look for simple things like security exceptions, purchase decisions, control decisions.”

--Jack Freund, co-author with Jack Jones of the FAIR book  

 

6.  Build Support by Positioning FAIR Analysis as a Value-add for Compliance

“There’s a difference between them doing the process because they have to vs. them getting real value in return for that engagement, where they come us saying  ‘I have a couple paths I have to take, help me decide which has the most manageable risk for the company’…They do that because they want to.”

--Drew Simonis, Hewlett-Packard Enterprise 

 

tony-martin-vegue7.  Look for Internal Clients with Something to Prove 

Tony found his first internal clients by looking for teams that had recently made security investments and offering to run a cost benefit analysis to see if it was working. “I have never had anybody turn me down.”

--Tony Martin-Vegue, Netflix

 

8.  Look for Internal Clients in Pain

“You need to gauge the level of pain they are in as it relates to wanting to truly understand and manage their information or cyber risk. Organizations that have either been given a directive from their board, had some of the risks manifest into actual incidents or are struggling to effectively manage information/cyber risk are more receptive to other models instead of traditional qualitative models.”

--Jason Ha, PwC Australia

 

Omar Khawaja - 2020 FAIR Conference Speaker9.  Establish FAIR Terminology as the Standard for Discussing Cyber and Tech Risk

“I made it a requirement that every single director and manager within the security program had to take the certification. Then that becomes the common language that we can use to talk to each other…Whenever we do FAIR training, at least 15% of the trainees have to be from outside the security team.”

--Omar Khawaja, Highmark Health 

 

10.  Risk Registers Are Often a Mess – Look to Help with Straightening Up

“We started with the big list of risks that everybody has” (audit findings, pen test findings, etc. ) “and normalized it” by finding the asset in question, creating a risk scenario, then performing risk quantification to come up with a ranked list.”

--Tony Martin-Vegue, Netflix

 

11.  Take It to the Next Level: Find an Executive Sponsor to Pave the Way to Wider Acceptance

Take “even an hour to show a senior stakeholder the lens through which FAIR views the world and how this is a way to be far more effective as a security operation.”

--Steve Reznik, ADP  

 

12. Understand that You Have Started on a Journey

“You should approach it in an agile fashion. You shouldn’t expect that big bang output. Look at it as a journey and a journey you need to bring all of your partners along to be successful.”

--Pat McGuinness, Manulife

Topics: FAIR, Risk Management

Jeff B. Copeland

Written by Jeff B. Copeland

Jeff is the Content Marketing Manager for RiskLens.

Join the FAIR Community