I want to take a moment to reflect on where the FAIR™ movement stands as we begin the New Year. I believe we are right now at a turning point, headed for far-reaching improvements in cyber risk management, led by Factor Analysis of Information Risk (FAIR) and cyber risk quantification.
Nick Sanna is Founder and President of the FAIR Institute
2020 was a breakthrough year, when FAIR and risk quantification got on the map for many more organizations
Recognition of FAIR as the standard model for defining and quantifying cybersecurity and operational risk and interest in learning about the FAIR model hit a critical mass last year:
Membership in the FAIR Institute passed 10,000, less than five years after the Institute’s founding. Members represent over 40% of the Fortune 1000, in 118 countries, a clear sign that the desire to better assess risk is on the map of an increasingly large number of organizations.
In 2020, leading industry organizations recognized and recommended FAIR as a standard for improving risk assessment and security budget prioritization:
- The 2020 edition of the NACD Cyber Risk Oversight Handbook strongly endorsed risk quantification as a better basis for improved decision-making and business performance and cited FAIR as a valid model.
- The new NIST standard NISTIR 8286 Integrating Cybersecurity and Enterprise Risk Management (ERM), recommended that organizations move from qualitative to quantitative risk assessment to “better prioritize risks or prepare more accurate risk exposure forecasts” and cited FAIR as a quantitative risk analysis methodology that is being adopted by organizations.
- COSO, the organization behind the widely used COSO Enterprise Risk Management Framework issued its first guidance document on cyber risk management and included a reference to the FAIR model as a tool for “management to align the cybersecurity program to the business objectives and set targets.”
- HITRUST partnered with the FAIR Institute in 2020 to plan for the integration of the FAIR standard and the HITRUST CSF, the controls framework used by hundreds of thousands of organizations.
2021 will be the year when quantitative risk assessment will actually be operationalized by a record number of companies
On the heels of a very difficult year, with the pandemic disruptions and a dramatic increase in cyber attacks, government and private enterprise organizations are looking for ways to improve their long-term risk posture and defense capabilities. With a more remote workforce and many new business and customer-facing services moving online, the footprint exposed to attack is only getting bigger.
As never before, organizations must prioritize the digital risks that matter most and allocate budgets where they can have the biggest effect on meeting acceptable risk levels and business goals. The days when you could wing it by applying best practices across the board are gone – the level of threat activity and the number of vulnerabilities are just too large. You must prioritize, cost-effectively!
Our friends at Gartner reported a record interest in cyber risk quantification and digital risk management in 2020 not only by CISOs but increasingly by business leaders, driven by the simultaneous need for supporting new digital initiatives and reining in cybersecurity cost. What apparently is holding most back is understanding how to do it.
Gartner Research Director Khushbu Pratap spoke at the 2020 FAIR Conference on the Drivers for Cyber Risk Management and Digital Transformation
Cyber risk executives and business leaders with security oversight will have a huge role to play this year. As a center for collaboration, we at the FAIR Institute will continue to support them with education on the FAIR standard, awareness of best practices and FAIR-based solutions that can help them better align cybersecurity with business objectives.
To all the members of the FAIR community around the world, I wish you a Happy New Year!