We know…launching a risk management program built around Factor Analysis of Information Risk (FAIR™), the standard for cyber risk quantitative analysis, can sound like a heavy lift compared to the status quo of casual “qualitative” analysis, AKA the wet finger in the air.
But many successful FAIR practitioners have come before you and, luckily, they are a generous bunch who have left behind blog posts and FAIR Conference appearances sharing advice on the concrete steps you can take to bring CRQ to your organization.
Based on their collective wisdom, here’s a FAIR program implementation checklist.
>>Aggregate the bank’s total loss exposure and learn how that breaks out among assets, products, etc.
>>Define a risk appetite.
>>Quantify specific risks and run cost/benefit analysis on mitigations.
>>Understand how investment in enterprise-wide security initiatives would decrease loss exposure.
>>Introduce FAIR-based tools into the decision-making process. “At the end of the day, if decisions aren’t made, any methodology is useless,” Marcenaro said.
Video: See BCP Bank’s Mission Statement and Project Plan for FAIR Program Launch
Our experts agree you need at least one dedicated analyst to run the program, at least to start. “But the key point is to dedicate employees; tell an employee that 10% of work goes for risk analysis and risk analysis will likely not get done,” wrote Chad Weinman, a veteran of many program launches at RiskLens.
Self-training with the FAIR book is an option but the most direct way to get bring your analyst up to speed is through the FAIR Analysis Fundamentals course, offered through the FAIR Institute live or online. To get serious about running a FAIR program at scale, you’ll need an application that quickly performs analyses and outputs results in business-friendly formats. RiskLens, maker of a leading CRQ platform, is the technical adviser to the FAIR Institute, but there are other vendors. Before you select a platform, read the CRQ Buyer’s Guide by FAIR creator Jack Jones.
Grounded in that understanding, you can introduce FAIR concepts that may be new (such as estimating probable risk in ranges that are “accurate with a useful amount of precision”) – but also be flexible enough to report on risk in formats comfortable for them, for instance, a color-coded heat map, backed up not by guesswork but solid quantitative analysis.
As you talk to stakeholders, keep an eye out for an executive champion, a business leader who converts to the cause of quantification and can help you introduce FAIR more widely in the organization.
4 Questions and 4 Action Steps to Get a FAIR Program Off the Ground by Evan Wheeler
Don’t be discouraged here. Thanks to the calibrated estimation techniques used in FAIR analysis, you have more data than you think and you need less data than you think, to paraphrase risk measurement authority Douglas Hubbard (learn more in this blog post by Jack Jones: No Data, No Problem).
In An Adoption Guide for FAIR, Jack Jones wrote “there are two primary considerations when selecting a starting point for adoption that has executive visibility: meaningful results, achieved quickly” – Jack suggested within the first 90 days to keep enthusiasm high.
A common starting point is an analysis of the top 10 risk scenarios for the company. As Jack wrote in First Two Moves a CISO Should Make, “You start with what the high-level loss event scenarios are that can be really meaningful to the organization. Then go down a couple layers of abstraction, parsing those high-level scenarios into more specific discrete scenarios. Then you do triage FAIR analyses on those scenarios. It’s not rocket science, and you don’t have to spend weeks or months going after a bunch of data, this is triage.”
It’s a common threat to the longevity of a cyber risk management program – a CISO, analyst or executive champion leaves and the program loses direction. Build in protection early on, Tyler Britton of Dropbox advised. “Codify your quant risk program in a document to ensure that your program is dependent on the process and not a person. Key components should include prescriptive use cases, processes, ownership policy and responsibility guidelines.” Learn more in this report from the 2021 FAIR Conference: Who Owns Cyber Risk? The Answer Isn’t Clear in Many Organizations.