With the skills and resources of attackers constantly improving, is cyber risk management a hopeless endeavor? Working with CISOs and risk management teams as a FAIR consultant, this is a question I get asked from time to time and, in short, the answer is no, if you follow these three best practices:
I have had the privilege or the curse of working with metrics--depending on which side of the fence you are on--through the course of my career. I have tended to lean towards the latter.
With large companies under near constant attack from malware, phishing, and hacking attempts, getting an estimate on cybersecurity risk means reaching a clear understanding of how many of the massive number of threats actually turn into losses.
Precise definitions of the factors that go into an accurate risk analysis – that may be the bottom line advantage of the FAIR approach. For a great example, take Vulnerability, loosely defined as "weakness" most often, but FAIR gives it a focussed and more useful meaning: “the probability that a threat event will become a loss event.”
If you’re looking to hire a cyber risk analyst – or if you are a risk analyst looking to up your game – I recommend reading Jack Jones’ new eBook An Executive’s Guide to Cyber Risk Economics where you’ll find the definitive checklist of skills required to do reliable risk analysis.