I previously wrote a blog post, My Risk Problem and How I Solved It, about how the lightbulb finally went on after learning FAIR™ - I realized that you can’t build a risk management program with just inherent and residual risk.
Good choice - There are an estimated 3.5 million unfilled jobs in cybersecurity worldwide right now and the position of cyber risk analyst is on the cutting edge of career choices
Phew, what a year 2020 was. Now that the new year has come, you may be thinking about how to start, change or stop doing activities within your FAIR quantitative risk management program. Let's take a look at five things you can do now for a better 2021.
Whether it is difficulty with data gathering, calibrating estimates, or presenting results, problems that come up in FAIR analysis tend to stem from the same source: a lack of a clearly defined risk scenario statement.
What is going on right now is definitely a crazy time for those of us who run cyber risk analytics or cybersecurity management – “unprecedented,” everyone says.
With the skills and resources of attackers constantly improving, is cyber risk management a hopeless endeavor? Working with CISOs and risk management teams as a FAIR consultant, this is a question I get asked from time to time and, in short, the answer is no, if you follow these three best practices:
I have had the privilege or the curse of working with metrics--depending on which side of the fence you are on--through the course of my career. I have tended to lean towards the latter.
With large companies under near constant attack from malware, phishing, and hacking attempts, getting an estimate on cybersecurity risk means reaching a clear understanding of how many of the massive number of threats actually turn into losses.
Precise definitions of the factors that go into an accurate risk analysis – that may be the bottom line advantage of the FAIR approach. For a great example, take Vulnerability, loosely defined as "weakness" most often, but FAIR gives it a focussed and more useful meaning: “the probability that a threat event will become a loss event.”
If you’re looking to hire a cyber risk analyst – or if you are a risk analyst looking to up your game – I recommend reading Jack Jones’ new eBook An Executive’s Guide to Cyber Risk Economics where you’ll find the definitive checklist of skills required to do reliable risk analysis.