As a FAIR consultant, I have seen many organizations go through the transformation from qualitative to quantitative risk management. Often what I have found is that the transition from a world of no numbers (or very few numbers) to the quantitative risk world of numbers galore can be a little daunting.
‘Low’ loss exposure scenarios are often cause for celebration, or at least an exhausted sigh of relief from the CISO who is already juggling the remediation plans of countless other higher risk scenarios.
As auditors , you often get a bad rap. Given audit is a compliance focused profession, one of the many aspects of your job is telling someone that the way they do theirs is wrong, which is not a fun conversation for either party.
While I could easily write a novella focused solely on the many benefits of FAIR over other risk analysis methods, there is an important caveat to keep in mind when conducting FAIR analyses: The analysis is only as reliable as the analyst who conducted it.
Risk is inherent in business. By operating in the market place, offering products or services to the public, processing transactions or storing data, companies large and small face risk, and increasingly that’s cyber risk. The question is, how do these companies decide whether to accept or respond to risks?
(To the tune of Ice Ice Baby)
Alright, stop! Collaborate, and listen. FAIR is back to give advice you been missin’
If Risk has grabbed ahold of you tightly, run an analysis, quantify it rightly.