FAIR Institute Blog

Been There, Done That: 5 Bits of Advice on Setting Up Your FAIR Risk Management Program from 6 Experienced FAIR Institute Members

[fa icon="calendar"] Jun 22, 2021 10:11:53 AM / by Jeff B. Copeland

Drew Simonis 2 - HPE - FAIRCON17A lot of first-hand, from-the-field experience gets passed on in our Meet a Member video interviews with FAIR Institute members. Here’s a selection of some of the highlights.

By the way, if you’d like to share your quantitative risk management experience with the community through a Meet Member interview, please contact us. And if you’re just starting out researching or implementing FAIR, we welcome you to join the FAIR™ community, too.

 

Always speak about risk in FAIR terms

Time and again, we hear from members that the first benefit of FAIR adoption is creating a shared understanding of risk – starting with your discipline in adhering to the FAIR standard’s vocabulary in discussions. 

“By sharing your thoughts on security in a consistent manner, you’re focusing less on the format of the presentation and more on the risk itself. The rigor with which the FAIR ontology allows you to approach a problem is very clear and understandable. Once the audience understands that it becomes more thoughtful conversation about the risk itself.” 

--Meet a Member: Andrew Retrum, Managing Director, Global Financial Services Security and Privacy at Protiviti 

 

Stay focused on loss event scenarios 

FAIR analysis starts with a well-scoped loss event scenario for a threat actor impacting an asset. That doesn’t just focus the analysis, it clarifies the results for stakeholders.

“If you can boil it down to the specific loss event scenarios that resonate with business leaders, they can understand the disruption of the critical service which is supporting their business goal.” 

-- Meet a Member: Drew Simonis, VP, Global Security, Hewlett Packard Enterprise 

 

It’s a journey: educate first, present quantitative analysis later 

FAIRCON2020 CISO Panel - Mary Elizabeth Faulkner ThriventRisk quantification can be a cultural shock for an organization used to hearing about cyber risk in the form of opinions without reference to a standard model.

“The first time, you should never be communicating quantifiable risk analysis, you need to have a conversation with the business ahead of time… You should always be leveraging every conversation as an opportunity for education.” 

--Meet a Member: Mary Faulkner, CISO, Thrivent 


Start your journey to Factor Analysis of Information Risk with the FAIR Analysis Fundamentals training course. 


 

Network: to succeed as a FAIR risk analyst, know the right people in your organization 

Subject matter experts are one of the critical sources of data for FAIR analysis. 

“For me, the key challenge for risk professionals today is what I call footprint and how wide is that footprint. That means your network, your knowledge…You need a wide footprint to tap into the experts when the situation calls for it.  

--Meet a Member: Michael Kenney, Member of the Global Advisory Board at OpRisk Global, former Vice President, Operational Risk at Freddie Mac 

 

Remember, you’re not making predictions, you’re showing a range of probable outcomes

Meet a Member - Robert Immella - KeyBank2FAIR analysis doesn’t produce a precise outcome (which can be precisely wrong) but a range of probable outcomes for loss exposure to support informed decision-making by the organization. That has implications both for data gathering and analysis presentation.

“What I can control when gathering information is to not be perfect… I try every time as I approach an analysis to have an 80/20 mentality…You can always go back and tweak the numbers later…Remember the FAIR model is allowing you to work in ranges so it gives you that flexibility.” 

--Meet a Member: Robert Immella, Senior Information Security Risk Analyst, Key Bank

“Some of our assessments have come out with pretty high exposure values, annualized loss expectancy of 10 and 20 million dollars, and without the proper context, you throw that in front of somebody and they are immediately thinking, are you really saying we’re going to lose 20 million dollars next year? I think it’s really important that, as you go into discussions…to let them understand that you’re not making a prediction, you’re assessing exposure.”

--Meet a Member: Timothy Titcomb, Vice President, Information Security, Fidelity Investments

Topics: Meet a Member

Jeff B. Copeland

Written by Jeff B. Copeland

Jeff is the Content Marketing Manager for RiskLens.

Join the FAIR Community

Subscribe to Email Updates

417NjDVYgtL._SX404_BO1204203200_.jpg
Learn How FAIR Can Help You
Make Better Business Decisions

Recent Posts