Michael Meis is four months into launching a cyber risk management program based on Factor Analysis of Information Risk (FAIR™) at The University of Kansas Health System but, as he explained in his presentation to the recent FAIR Conference, the prequel started long before. He held about 60 meetings with stakeholders to explain FAIR and risk quantification to build credibility, trust and collaboration because “rolling out FAIR is a culture change across the entire organization.”
FAIRCON22 Case Study Presentation: “Okay, Now What?” - Steps to Set Up a Quantitative Risk Management Program at Any Organization
Michael Meis, Associate CISO, KU Health
FAIR launch leaders can choose one of three approaches for their next steps, Michael recommends:
Begin with analyses of the top risks and scenarios on a strategic level.
Pros: Builds momentum at the highest levels of senior management and the board. Communicates risk at the level they understand, revenue and value generation.
Cons: Time- and labor-intensive. Takes 3-6 months to develop top cyber risks report, gain expertise in FAIR, and show some value.
Start with the cyber risks in the organization’s risk register, convert them to FAIR scenarios for quantitative risk analysis. Michael recommends this video from the FAIR Institute: How to Turn Your Risk Register Items into Risk Scenarios You Can Quantify with FAIR.
Pros: Lowest barrier to creating a FAIR program. Lower resource investment, short time to value, can produce first risk analysis in a week or two, work out the kinks in a program before giving it visibility in the organization.
Cons: Low visibility among senior levels. Can be difficult if the organization has a longstanding ERM program with expectation to follow already defined, qualitative processes.
Join the FAIR community as a Contributing Member, get access to exclusive content and learning opportunities.
Big Game Hunting
Find a big decision to be made or problem to be defined and provide additional context with FAIR risk quantification. For instance, an audit finding, or a decision on a vendor agreement, control implementation or other security investment.
Pros: Create immediate buy-in across the organization, build a roster of friendly decision-makers who can help when you scale the program.
Cons: Size of upfront investment can vary widely, depending on the size of the decision and the speed required to produce results.
No matter the path you take, Michael advises, “train, train and train some more” your team not just with FAIR training but other forms of modeling, as well as business communication techniques. He encouraged his conference audience to “plug into the FAIR community” for advice from peers. “This is probably the most robust community that I have ever seen within the information security space.”