Congratulations, you launched a risk analysis and management initiative based on Factor Analysis of Information Risk (FAIR™). You lined up an executive sponsor, wangled some staff, hopefully set out a road map with a CRQ program charter and posted in the window a menu of CRQ services your team stands ready to provide.
Then comes the hump – finding real-life risk scenarios to analyze and produce value for stakeholders.
One consistent bit of advice we have heard from successful FAIR program managers is, don’t stand behind the counter waiting for customers to walk in. Look for targets of opportunity to perform risk analysis and rack up some wins quickly. Particularly look to establish a toehold in existing processes or practices that will make CRQ part of SOP (that’s standard operating procedure).
Here are some suggestions from the FAIR community:
1. Clean up the risk register, audit findings or policy exceptions
Risk registers or GRCs are notoriously dumping grounds for audit findings, pen-test results, or other perceived risks that somebody should do something about some day.
FAIR practitioners can offer a valuable service of evaluating the register entries for whether they are truly risks in the FAIR sense of identifiable threat actor, method of attack, asset at risk and controls in place that can have a quantifiable likelihood of occurrence and cost of impact. A risk register should be filled with risk statements with those elements, not vague concerns, and prioritized with quantification.
At the 2021 FAIR Conference, Robert Immella, then of KeyBank, demonstrated how he applied that FAIR-aligned approach to intake for policy exceptions, and took it a step farther by categorizing the controls for their efficacy according to the FAIR Controls Analytics Model (FAIR-CAM). See Rapid Policy Exception Management: Controls Alignment with FAIR-CAM.
2. Assess a new or existing vendor, acquisition or other third-party risk
Third party risk comes in several varieties – none solved satisfactorily with current practices, like questionnaires or scans of internet facing applications for vendors. But that situation is changing with the development of the FAIR Third Party Assessment Model (FAIR-TAM) showing the way for FAIR practitioners to assess risk from a vendor for instance based on access to data, servers or revenue.
In M&A, FAIR analysis of the target organization’s top risks leverages standard practices in FAIR – but here’s a reminder, good for any sort of analysis, to pay close attention to what your internal clients want. FAIR team members from Maersk, Pooya Alai and Rebekka Kurland, told the 2023 FAIR Institute London Summit how they delivered a merger analysis discussing risk with the standard output of annualized loss exposure (ALE) – the mergers team shrugged it off until the FAIR team recast their findings in terms that showed the risk premium factored into the deal price. See Maersk Case Study: Sometimes Talking Dollars Is Not Enough.
3. Scope risk from AI activities
Don’t miss this opportunity to colonize FAIR practices in the AI frontier that is surely opening in your organization (whether your organization sanctions it or not). Download the FAIR Institute’s FAIR-AIR Playbook for a structured FAIR-based approach. Learn how to categorize the threat actors, identify the risk scenarios, find the data to quantify probable loss exposure and prioritize a cost-effective response to these new risks.
4. Fast reporting on material risks
Does the SEC, NY DFS, HHS or EU regulate your company? Then your compliance team needs your services for fast quantification of loss from a data breach or other cyber event, particularly if you’re required to report material impact in a timely way.
Start positioning yourself now by gathering data to populate the FAIR Materiality Assessment Model (FAIR-MAM™). This open-source model breaks down loss into cost modules that can be used to estimate the financial impact of an attack on any of the company’s business assets from any type of risk scenario. Since it’s based on FAIR, the standard for cyber risk quantification recognized by the National Institute of Standards and Technology, it’s legally defensible if challenged by a regulator.
5. Informed insurance buy
Insurance: A classic opportunity for a FAIR-powered team to inform the CFO with quantification of top cyber risks, risk by business unit or product line, aggregate risk for the enterprise or other cuts at loss exposure.
But the opportunity goes beyond that for a CISO aiming to have a wider organizational impact. At the 2023 FAIR Conference panel on insurance, Tom Srail, EVP Cyber Risk, Willis Tower Watson, said “I think the marketplace is changing. I think insurers are looking for more real data or more control assessments and less reliance on 200-item questionnaires – do you have MFA, yes or no.” Panelists agreed that, to negotiate for best rates, companies will need to offer up a deeper and more timely view of risk – the threat, asset and controls environments – that point toward FAIR automation.