Been There, Done That: 5 Bits of Advice on Setting Up Your FAIR Risk Management Program from 6 Experienced FAIR Institute Members
A lot of first-hand, from-the-field experience gets passed on in our Meet a Member video interviews with FAIR Institute members. Here’s a selection of some of the highlights.
By the way, if you’d like to share your quantitative risk management experience with the community through a Meet Member interview, please contact us. And if you’re just starting out researching or implementing FAIR, we welcome you to join the FAIR™ community, too.
Always speak about risk in FAIR terms
Time and again, we hear from members that the first benefit of FAIR adoption is creating a shared understanding of risk – starting with your discipline in adhering to the FAIR standard’s vocabulary in discussions.
“By sharing your thoughts on security in a consistent manner, you’re focusing less on the format of the presentation and more on the risk itself. The rigor with which the FAIR ontology allows you to approach a problem is very clear and understandable. Once the audience understands that it becomes more thoughtful conversation about the risk itself.”
Stay focused on loss event scenarios
FAIR analysis starts with a well-scoped loss event scenario for a threat actor impacting an asset. That doesn’t just focus the analysis, it clarifies the results for stakeholders.
“If you can boil it down to the specific loss event scenarios that resonate with business leaders, they can understand the disruption of the critical service which is supporting their business goal.”
It’s a journey: educate first, present quantitative analysis later
Risk quantification can be a cultural shock for an organization used to hearing about cyber risk in the form of opinions without reference to a standard model.
“The first time, you should never be communicating quantifiable risk analysis, you need to have a conversation with the business ahead of time… You should always be leveraging every conversation as an opportunity for education.”
Start your journey to Factor Analysis of Information Risk with the FAIR Analysis Fundamentals training course.
Network: to succeed as a FAIR risk analyst, know the right people in your organization
Subject matter experts are one of the critical sources of data for FAIR analysis.
“For me, the key challenge for risk professionals today is what I call footprint and how wide is that footprint. That means your network, your knowledge…You need a wide footprint to tap into the experts when the situation calls for it.
Remember, you’re not making predictions, you’re showing a range of probable outcomes
FAIR analysis doesn’t produce a precise outcome (which can be precisely wrong) but a range of probable outcomes for loss exposure to support informed decision-making by the organization. That has implications both for data gathering and analysis presentation.
“What I can control when gathering information is to not be perfect… I try every time as I approach an analysis to have an 80/20 mentality…You can always go back and tweak the numbers later…Remember the FAIR model is allowing you to work in ranges so it gives you that flexibility.”
“Some of our assessments have come out with pretty high exposure values, annualized loss expectancy of 10 and 20 million dollars, and without the proper context, you throw that in front of somebody and they are immediately thinking, are you really saying we’re going to lose 20 million dollars next year? I think it’s really important that, as you go into discussions…to let them understand that you’re not making a prediction, you’re assessing exposure.”