How to introduce and prove value for a FAIR™ cyber risk quantification program at an organization with 500,000 employees in 100 countries – that was the challenge faced by Gideon Knocke at an international health-related company. Gideon and his consultant on the launch, Tom Callaghan, shared their learnings at the recent 2021 FAIR Conference.
Gideon Knocke, Former Risk Manager, Fresenius
Tom Callaghan, Co-Founder & Managing Director, C-Risk, Co-Chair, Paris Chapter, FAIR Institute
Tom Callaghan and Christophe Foret of C-Risk won the FAIR Ambassador honor of the 2021 FAIR Institute Excellence Awards
4 Tips on FAIR Program Launch from Gideon and Tom
1. Start small. Resist quantifying everything and build experience by taking on single use cases one at a time. Pick some issues that can’t be easily solved without quantification.
2. Choose your risk scenarios carefully for maximum business value. Gideon and Tom focused on the value chain of the organization. With the help of business stakeholders, they mapped the key processes used to generate value and the crown jewel assets that support them.
3. Focus your research efforts on the Loss Magnitude (or right side) of the FAIR model. You can find hard data for magnitude from internal sources, starting with the company’s annual report, and rely more on industry data for the Loss Event Frequency side of the model. Start your research by clarifying how the six forms of loss in FAIR apply to your organization.
4. Map your scenarios to a standard controls model (they used CIS). “That’s actually key,” Gideon said, “because after the question, ‘how much risk do we have?’ there was always the question, ‘now what do we do with it?’” Tom added, “It’s important to visualize how controls can impact a scenario both in terms of frequency and impact…And that allowed us as well to take some of the scenario analysis outputs and use it in project planning.”