Introduction
Netflix had been a data-driven organization with a major exception: Cyber risk management still operated with subjective “red, yellow or green” risk statements. Senior management was dissatisfied that risk analyses did not support decision-making.
Netflix brought in Tony Martin-Vegue, a long-time FAIR advocate and co-chair of the San Francisco Bay Area FAIR Institute Chapter, later joined by Prashanthi Koutha, a veteran of the Walmart FAIR program launch.
Socialization: Preparing the Way for FAIR
Before Tony and Prashanti could fully launch a program, they faced some confusion and resistance over moving to risk reporting in quantitative terms. Their overall strategy:
1. Take it one step at a time.2. Find allies.
3. Meet stakeholders where they are in information consumption, customize reporting to fit.
“The key to success is accepting that red-yellow-green is the de facto language of risk and working with that. We didn’t throw their heat maps in the trash can.”
--Tony Martin-Vegue
Winning Acceptance of FAIR
Tony and Prashanti focused on two targets of opportunity to introduce and establish the power of risk management with FAIR.
1. Offer cost/benefit analysis for recent programs
They sought program managers who were six months out from launching a new control or process and offered to do a cost benefit analysis, comparing the risk reduction achieved to a baseline risk and a forecast for the next year. “We never had anyone turn us down,” Tony said.
“What we really want to know is when an investment is not worth it. Then you have the chance to course correct. FAIR enables us to do that. If we didn’t have FAIR, a bad control could be costing us more than it was worth, and we would never know.”
--Tony Martin-Vegue
2. Prioritize the risk register
Like many organizations, Netflix had a risk register that was a place to report audit or pen-test findings or other perceived risks, often the end of the story. Tony said, “The first thing was to get people to think of the risk register not as a list of bad things to fix but a decision register.” Tony and Prashanti set out to normalize the entries, restating them as FAIR risk scenarios with a threat actor, asset, and effect. As a result, entries could be scoped then prioritized for decisions on remediation or even deleted on the grounds that they didn’t represent a risk.
Scaling the FAIR program
As the FAIR program grew and demand for quantitative analyses increased, Tony and Prashanti developed an intake process to bucket risks before the FAIR team accepted them for analysis. It’s a system loosely based on the NIST RMF tiers of risk management.
Tier 1
Risks to analyze to support long-term, strategic decisions by senior leadership. These might pose persistent or even existential risk for the organization.
Tier 2
Support for tactical decisions such as cost vs benefit for security investment with a one-year time frame. Analysis might support decisions by middle management on headcount, budgeting, or third-party relationships.
Tier 3
Operational decision support, for instance for security architects, engineers, pen testers or red teamers. Example: a pen test generates 40 findings – which should we remediate first?
“We found more success in starting bigger. If you are trying to get FAIR established in your company, look to do cost/benefit analysis on a merger or breaking into a new market or doing some five-year planning – you’re going to make a lot more friends a lot quicker.”
--Tony Martin-Vegue
Words of Advice from the Netflix FAIR Team
>>Always seek to move FAIR analysis closer to the decision makers.
>>Perform analyses on defined risks not issues.
>>Scope the analysis to fit the business decision.
>>Know your audience and which tier is appropriate to them.
>>It’s always a balance between risk and reward – and risk isn’t bad.
Learn more in a video presentations by the Netflix FAIR risk analysis team
Case Study - How FAIR Analyses Support Decision-Making at Netflix – FAIRCON 2020
