By the way, if you’d like to share your quantitative risk management experience with the community through a Meet Member interview, please contact us. And if you’re just starting out researching or implementing FAIR, we welcome you to join the FAIR™ community, too.
Always speak about risk in FAIR terms
Time and again, we hear from members that the first benefit of FAIR adoption is creating a shared understanding of risk – starting with your discipline in adhering to the FAIR standard’s vocabulary in discussions.
“By sharing your thoughts on security in a consistent manner, you’re focusing less on the format of the presentation and more on the risk itself. The rigor with which the FAIR ontology allows you to approach a problem is very clear and understandable. Once the audience understands that it becomes more thoughtful conversation about the risk itself.”
Stay focused on loss event scenarios
FAIR analysis starts with a well-scoped loss event scenario for a threat actor impacting an asset. That doesn’t just focus the analysis, it clarifies the results for stakeholders.
“If you can boil it down to the specific loss event scenarios that resonate with business leaders, they can understand the disruption of the critical service which is supporting their business goal.”
-- Meet a Member: Drew Simonis, VP, Global Security, Hewlett Packard Enterprise
It’s a journey: educate first, present quantitative analysis later
“The first time, you should never be communicating quantifiable risk analysis, you need to have a conversation with the business ahead of time… You should always be leveraging every conversation as an opportunity for education.”
--Meet a Member: Mary Faulkner, CISO, Thrivent
Start your journey to Factor Analysis of Information Risk with the FAIR Analysis Fundamentals training course.
Network: to succeed as a FAIR risk analyst, know the right people in your organization
Subject matter experts are one of the critical sources of data for FAIR analysis.
“For me, the key challenge for risk professionals today is what I call footprint and how wide is that footprint. That means your network, your knowledge…You need a wide footprint to tap into the experts when the situation calls for it.
Remember, you’re not making predictions, you’re showing a range of probable outcomes
“What I can control when gathering information is to not be perfect… I try every time as I approach an analysis to have an 80/20 mentality…You can always go back and tweak the numbers later…Remember the FAIR model is allowing you to work in ranges so it gives you that flexibility.”
--Meet a Member: Robert Immella, Senior Information Security Risk Analyst, Key Bank
“Some of our assessments have come out with pretty high exposure values, annualized loss expectancy of 10 and 20 million dollars, and without the proper context, you throw that in front of somebody and they are immediately thinking, are you really saying we’re going to lose 20 million dollars next year? I think it’s really important that, as you go into discussions…to let them understand that you’re not making a prediction, you’re assessing exposure.”
--Meet a Member: Timothy Titcomb, Vice President, Information Security, Fidelity Investments