The recent Cyber Risk Quantification Landscape, Q4 2022 by Forrester called it a trend -- "Firms in this market…report customers making the transition from experimentation to a more programmatic approach to CRQ” – and it is the best way to “cement your role as a partner and enabler to the business,” the research firm said.
We know…launching a risk management program built around Factor Analysis of Information Risk (FAIR™), the standard for cyber risk quantitative analysis, can sound like a heavy lift compared to the status quo of casual “qualitative” analysis, AKA the wet finger in the air.
But many successful FAIR practitioners have come before you and, luckily, they are a generous bunch who have left behind blog posts and FAIR Conference appearances sharing advice on the concrete steps you can take to bring CRQ to your organization.
Based on their collective wisdom, here’s a FAIR program implementation checklist.
1. Write a mission statement
The goal of a cyber risk quantification program is not cyber risk quantification but achieving objectives that serve your team and the business through risk management over a long period. At the 2020 FAIR Conference, Harold Marcenaro of BCP bank, presented this statement that’s a good model of setting goals at a high-level yet high-impact way.
>>Aggregate the bank’s total loss exposure and learn how that breaks out among assets, products, etc.
>>Define a risk appetite.
>>Quantify specific risks and run cost/benefit analysis on mitigations.
>>Understand how investment in enterprise-wide security initiatives would decrease loss exposure.
>>Introduce FAIR-based tools into the decision-making process. “At the end of the day, if decisions aren’t made, any methodology is useless,” Marcenaro said.
2. Identify, Train, Equip One or More FAIR Risk Analysts
Our experts agree you need at least one dedicated analyst to run the program, at least to start. “But the key point is to dedicate employees; tell an employee that 10% of work goes for risk analysis and risk analysis will likely not get done,” wrote Chad Weinman, a veteran of many program launches at RiskLens.
Self-training with the FAIR book is an option but the most direct way to get bring your analyst up to speed is through the FAIR Analysis Fundamentals course, offered through the FAIR Institute live or online. To get serious about running a FAIR program at scale, you’ll need an application that quickly performs analyses and outputs results in business-friendly formats. RiskLens, maker of a leading CRQ platform, is the technical adviser to the FAIR Institute, but there are other vendors. Before you select a platform, read the CRQ Buyer’s Guide by FAIR creator Jack Jones.
3. Understand Your Stakeholders – then Educate, Recruit Them
“Any form of risk analysis requires you to immerse yourself in the strategy and operations of your organization to understand the context of the risk scenarios,” advised Evan Wheeler, Sr. Director, Technology Risk Management, Capital One. Understand how your stakeholders consume data and use it to make decisions.
Grounded in that understanding, you can introduce FAIR concepts that may be new (such as estimating probable risk in ranges that are “accurate with a useful amount of precision”) – but also be flexible enough to report on risk in formats comfortable for them, for instance, a color-coded heat map, backed up not by guesswork but solid quantitative analysis.
As you talk to stakeholders, keep an eye out for an executive champion, a business leader who converts to the cause of quantification and can help you introduce FAIR more widely in the organization.
4. Source Data for Analysis
Don’t be discouraged here. Thanks to the calibrated estimation techniques used in FAIR analysis, you have more data than you think and you need less data than you think, to paraphrase risk measurement authority Douglas Hubbard (learn more in this blog post by Jack Jones: No Data, No Problem).
Still, gathering data to feed analysis is an important early step, both interviewing subject matter experts within the organization (for instance, HR for hourly wage rates of cyber incident responders) and filling out the picture with industry data (see this: How to Find Data for Every One of the FAIR Factors, a talk by Wade Baker of Cyentia Institute at the 2020 FAIR Conference). For a quick look at risk figures for your industry, also see the RiskLens My Cyber Risk Benchmark tool. The RiskLens platform also comes with built-data libraries. For a complete look at building a library, see this presentation by Tyler Britton of Dropbox at the 2022 FAIR Conference.
5. Run Your First Analysis
In An Adoption Guide for FAIR, Jack Jones wrote “there are two primary considerations when selecting a starting point for adoption that has executive visibility: meaningful results, achieved quickly” – Jack suggested within the first 90 days to keep enthusiasm high.
A common starting point is an analysis of the top 10 risk scenarios for the company. As Jack wrote in First Two Moves a CISO Should Make, “You start with what the high-level loss event scenarios are that can be really meaningful to the organization. Then go down a couple layers of abstraction, parsing those high-level scenarios into more specific discrete scenarios. Then you do triage FAIR analyses on those scenarios. It’s not rocket science, and you don’t have to spend weeks or months going after a bunch of data, this is triage.”
6. Set up a Governance Process
It’s a common threat to the longevity of a cyber risk management program – a CISO, analyst or executive champion leaves and the program loses direction. Build in protection early on, Tyler Britton of Dropbox advised. “Codify your quant risk program in a document to ensure that your program is dependent on the process and not a person. Key components should include prescriptive use cases, processes, ownership policy and responsibility guidelines.” Learn more in this report from the 2021 FAIR Conference: Who Owns Cyber Risk? The Answer Isn’t Clear in Many Organizations.