FAIR Institute Blog

Insights from Dropbox on Building a Quantitative Cyber Risk Management Program

[fa icon="calendar"] Mar 30, 2022 4:52:48 PM / by Jeff B. Copeland

FAIRCON22 - Dropbox FAIR Risk Quantification Program - 3 Must-Haves - FeaturedDropbox is taking a methodical and thoughtful approach to implement its FAIR quantitative risk management program, led by cyber risk manager Tyler Britton who shared his insights in a presentation at the first quarterly event in the 2022 FAIR Conference series. If you’re in launch mode, you’ll want to listen carefully to each of the Tyler’s points (listed here with time stamps), as he covers the three must-have supports for a FAIR program: data library, governance and resources.

Watch the video of the Dropbox presentation:

Building a Quantitative Cyber Risk Program Based on FAIR at the Q1 event in the FAIRCON event series for 2022. FAIR Institute membership required to view. Join the FAIR Institute now.

1:26 Defining the FAIR program you want, from ad hoc analyses to a fully quantitative risk management program. 

2:21 Challenges of building a FAIR program, from setting the vision to finding executive champions to “taking a hard look in the mirror and asking do those controls really do anything?”

6:12 Three-segment approach to building a FAIR program. “If one of them fails, the program fails.”

  • Data Library to feed analysis
  • Governance -- the processes and documentation to keep the program resilient
  • Resources – the people and tools 

8:02 What goes into a data library: information verified by your subject matter experts and easily accessible for quick analysis. It’s important in reporting to stakeholders to “be crystal clear about the data you have” and where you are making educated estimations.

 FAIRCON22 - Dropbox Building a FAIR Cyber Risk Quantification - Data Library

14:36 Governance – should include prescriptive use cases to do analysis and an ownership model that determines what happens with analysis results to answer the “so what?” factor. Think of FAIR as a service to meet the needs of different teams in the organization. 

20:02 Resourcing. At least one to three people dedicated to FAIR, with emphasis on “dedicated” plus adequate tools (Dropbox uses RiskLens analytics software and ServiceNow risk registers).

26:07– Tyler wraps up his points on data libraries, governance and resources.


FAIRCON22 - Dropbox Building a FAIR Cyber Risk Quantification Program - Wrap Up

Topics: FAIR Conference 2022

Jeff B. Copeland

Written by Jeff B. Copeland

Jeff is the Content Marketing Manager for RiskLens.

Join the FAIR Community

Subscribe to Email Updates

Learn How FAIR Can Help You
Make Better Business Decisions

Recent Posts