Three experienced FAIR™ CISOs (and one CIRO) got down to cases on how they introduced FAIR analysis and won acceptance for cyber risk quantification in their organizations in the session C-Level Panel: Improving Decision Making through the Adoption of FAIR at the recent 2020 FAIR Conference.
On the panel:
Frank Kim, Curriculum Director SANS (Moderator)
Pat McGuinness, CIRO, Manulife
Mary Elizabeth Faulkner, CISO, Thrivent Financial
Mike Green, CISO, Cigna
Omar Khawaja, CISO, Highmark Health
Some tips from the session:
Start your FAIR program with quick wins
Panelists agreed that scoring small victories by demonstrating the value of FAIR in limited but valuable use cases is a good way to build acceptance. “Progress over perfection should always be the model,” Mary Elizabeth Faulkner said. “My eyes were bigger than my belly,” when Pat McGuinness started – he tried to size his entire risk register, then found he didn’t have the people or the data to carry it off. “Then we came back and started looking at loss exposure and that’s what started gaining engagement from other folks.”
Stick to scenarios that show business value
“Answer the questions that the business wants answered rather than the (technical) questions you are interested in,” Mike Green advised. Omar Khawaja tells his team to focus on the business outcomes of risk reduction, compliance, operational excellence and customer experience. “If your project is not improving one of those business outcomes, there’s no point presenting it.”
Socialize FAIR with training
The panel agreed on the need to consistently speak about risk in FAIR terms within the organization – and FAIR training makes that happen. At Thrivent, the entire infosecurity team goes through FAIR training. At Cigna and Highmark, that extends to ERM and audit teams (Omar Khawaja pays out of his budget). “We want to really broaden the set of consumers and teach them about the taxonomy so they can ask better questions of us,” Mike Green said.
Look at FAIR adoption as a journey, and one you take with partners
“You should approach it in an agile fashion,” Mike Green said. “You shouldn’t expect that big bang output. Look at it as a journey and a journey you need to bring all of your partners along to be successful.” Pat McGuinness found that the process of identifying assets for analysis was a great introduction tool. “As we began to roll it out more people began to say ‘hey, I use that data, and this is how valuable it is to me.’ That really has helped the program move forward.”
Expect a breakthrough in credibility for infosecurity
All the panelists said that FAIR had finally opened the door for them to have business-level conversations with business partners about cyber risk. As Faulkner said “Information security always struggles at being a cost center and being able to show return on investment. FAIR is bridging the gap on ROI and that takes us much closer to speaking in the same language as our board of directors and business stakeholders.” Pat said to discuss “what our exposure is and the what-if scenarios and how it can change the residual risk in our environment, that changes the conversation so dramatically. When you can talk about your risk domain with regard to how its measured quantifiably, credibility goes off the charts.”
Get more tips from the CISOs: Watch the video C-Level Panel: Improving Decision Making through the Adoption of FAIR from the 2020 FAIR Conference (requires a FAIR Institute membership – join now).