Watch this video from the 2022 FAIR Conference for tips on launching a cyber risk quantification program based on Factor Analysis of Information Risk (FAIR™), winning acceptance, and keeping the forward motion going even through management changes.
Andrew Retrum, Managing Director, US Security Program & Strategy Practice Lead, Protiviti
David Severski, Senior Security Data Scientist, Cyentia Institute
Tim Kelly, Senior Manager, Protiviti
Brenda Thayer, Senior Manager, Technology Risk, Fannie Mae
A FAIR Contributing Membership required to view the video. Join the FAIR Institute now.
Find Your Business Champion – But Have a Succession Plan
Panelists agreed that FAIR programs are most likely to take root if advanced by an enthusiastic sponsor in business management. But what happens if the champion moves on to another company? Brenda Thayer said she looks to cultivate a group of allies in the business who understand and appreciate quantitative risk analysis. And secondly, “establish the right processes so if the champion leaves, you don’t have to start from two steps back but from where that person left off.”
Don’t Let Enthusiasm Cool - Get Your Initial FAIR Risk Analysis Results Out Fast
David Severski said “A weakness in how FAIR gets implemented in many organizations is that people get engaged with the FAIR community and get really excited, but then they struggle to get that first analysis done. Twelve months to get to a first proof of concept is far too long.” Brenda cautioned not to let the perfect get in the way of the good enough. “Just get something down and evolve from that.”
A key point beginners can miss, David said, is that FAIR is both an ontology – a guide to thinking through a risk analysis problem – and a set of tools like Monte Carlo analysis. “It’s the framing of the problem that is the challenging work,” and you can always “farm off the analysis to a tool like RiskLens or a small group with the mathematical background to run that.”
Real Success Metrics for Your FAIR Program
Tim Kelly said “One of the key sticking points in making sure the program survives is just getting the results in front of the right people. When executives or board members take analysis results and make decisions from them, it sets a new standard. When you see dollars of loss exposure and that level of rationale and critical thinking going into some of the problems of your organization, it’s hard to take that step back and say no, we’re going to have a high medium low scoring system.”
David put it more bluntly: “You have to get the business addicted to what you are doing and demanding that…What you really should be measuring is the number of decisions influenced. Now you are talking about a program that can survive a change” of a champion or an entire executive leadership.
Get more tips on scaling a FAIR quantitative risk program – watch the video of this FAIR Conference session