In a new article on CFO.com, Craig Callé, the former CFO for Amazon’s digital media and books businesses, writes that, for cybersecurity, “C-level executives want to know what good looks like and how to measure it.
“Penetration tests, internal vulnerability scans, and IT control checklists remain go-to tactics, but a new generation of tools is taking things to the next level.”
Read the article: What Good Looks Like in Cybersecurity
Callé calls out cloud access security brokers (CASBs), cyber risk ratings services – and Factor Analysis of Information Risk (FAIR™). While NIST and CIS frameworks are “foundational”, he writes, “compliance with the elements of these frameworks typically gets measured qualitatively in traffic light indicators.
“To augment this approach, the FAIR Institute promotes a quantitative model to measure an organization’s cybersecurity and operational risk. FAIR principles consider the probability of an event and its magnitude to calculate an expected value of a risk, expressed in dollars and cents.
“FAIR helps organizations prioritize the areas in which to reduce risk and guides cybersecurity spending decisions to maximize return…”
Callé (who now heads consulting firm Source Callé LLC) also touches on another major benefit of FAIR: closing the communication gap between CISO and CFO. “The availability of tools that objectively quantify risk and convey assessments in a language that non-technical business leaders can comprehend can help make us more secure.”
Learn how FAIR analysis helps CFOs with another key responsibility in this blog post: Review Your Insurance Coverage with a FAIR Approach.