3 Quick Steps for FAIR Program Maturity

Audit Meeting - Applying FAIR Methodology to Third-Party Risk Management“Don’t boil the ocean,” “manage expectations” and “baby steps” are common phrases that capture the mindset needed for consistent, sustained growth of a FAIR™ cyber risk quantification program. But every now and then it’s nice to get some quick wins to gain visibility and establish credibility within your organization.

Here are three quick and low-intensity efforts that can mature your quantitative risk analysis program: automate, template, and integrate.


FAIR Community Expert Contributor Badge 2Caleb Juhnke - FAIR Risk AnalystCaleb Juhnke is Senior Information Security Engineer (Cyber Risk Quantification), Equinix.

Also by Caleb: What to Do After You Pitch Quantitative Risk Analysis

 


Automate Data Collection

Robust data leads to better analysis and better decision support. Here’s the catch: subject-matter expert (SME) exhaustion. I’ve had the pleasure of networking with many accomplished and seasoned quantitative analysts, and a common theme has been difficulty around data gathering, specifically from SMEs.

The organization’s business analysts, patch management teams, and SOC analysts have full-time jobs. Right or wrong, sitting through data gathering calls is not high on their priority list. Data requests that are too repetitive or too frequent will result in burnout.

A key part of FAIR development in your organization must be data independence. Network with the cybersecurity disciplines across your organization and use your goodwill to gain access to the troves of existing data on dashboards, logs, and SharePoint repositories.

Additionally, being included on various automated distribution lists and alerts can also position your team to gather important data without mucking up stakeholder calendars. There is a positive correlation between your data independence and stakeholder support.


Get FAIR training, beginner and advanced, through the FAIR Institute


Template Data Intake

A growing risk quantification program usually means bringing on more analysts. With the increase in analytical power, also comes an increase in personalities, communication styles, and assumptions.

Diversity of thought is a core component in any program, but standardization of communication channels is key to delivering a consistent product.

When the team must reach out to stakeholders, use templated data intake forms. This allows SMEs to become accustomed to the types of questions needed for better analysis, and it empowers the risk management team to effectively engage the organization.

The value of templating is not limited to communication outside of the risk team. As multiple analysts engage in independent research and analysis, it is important to document the rationale used for estimates. Templating and defining required information fields used in the analyst’s rationale will create a consistency of analysis that allows for greater transparency and uniformity in reporting.


FAIR-U-Training-App-LogoTry FAIR analysis with the FAIR-U training application


Integrate Risk Analysis with Decision Support

After successfully evangelizing FAIR and quantitative analysis, the risk program may find their services highly requested. But it is important to ensure that not every risk analysis and decision support is ad hoc.

It is essential to develop processes, and process hand-offs to bake quantitative analysis into operational, tactical, and strategic decision support. Successfully integrating into the internal stakeholder existing processes helps manage work levels and set expectations for the program.

Identifying where integration should occur can usually be found by asking this question: “What decision are we trying to make?” and plugging risk quantification into the existing process to answer that question.

Finding ways to automate, template, and integrate is often as simple as a conversation with stakeholders. Keep that in mind while you develop goals for your quantitative risk management program!

Learn more: 9 Bits of Advice from FAIR Experts for Faster, Better Cyber Risk Analysis


The FAIR Institute welcomes contributions to our blog from our expert members - contact us

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37