We often talk about the “FAIR™ journey” up from qualitative, compliance-oriented, or other less disciplined forms of cyber risk management to Factor Analysis of Information Risk.
In this edition of the Cyber Ranch Podcast, Drew Brown, the CISO for a Pennsylvania law enforcement agency, tells the story of his FAIR journey in a concise way that touches the milestones that you’d want to travel.
He also gives a short, effective explanation of what the FAIR standard is. Drew is expertly interviewed by podcast host Allan Alford, CISO/CTO at TrustMAPP.
Listen to the Cyber Ranch podcast:
FAIR from the Trenches w/ Drew Brown
The Journey Starts with Audit Findings
Drew started as a “newly minted CISO” with the task of responding to audit findings that essentially told his agency that they didn’t have a cyber risk management program. So, he set out to write a policy that would “check the box” for compliance.
He studied NIST standards and the CIS controls, but something didn’t click for him, their use of high-medium-low or numeric risk ratings. “I just got frustrated. I didn’t know what to do with these numbers. I could only put this in practice only so far.”
He found FAIR but his reaction was “looks like a really good thing but we’re not mature enough to use FAIR yet.”
Next milestone: Drew attended the annual FAIR Conference and met many FAIR practitioners. He tried out the idea of basing his program on NIST or other controls and “bolting FAIR on top”. Universally, the response was “No. Do FAIR now or you’ll just end up re-inventing the wheel.”
Learn the FAIR approach to risk management – get FAIR training through the FAIR Institute.
The Data Problem
Drew investigated FAIR further and ran up against a common misperception: “We don’t have enough data points to do this.” Then he reasoned that, in cybersecurity “We don’t have actuarial tables for phishing or DDOS attack” – the data would never be perfect.
The data question sent him to the FAIR book Measuring and Managing Information Risk with its guidance on FAIR’s use of calibrated estimation and expressing risk in probability ranges for accuracy, not precision, in risk analysis.
“Digging into that not only helped me resolve those audit problems but I can now make better decisions about risk by following this model. And that’s the goal of FAIR anyway, to make better risk decisions and better business decisions.”
One other stop on the journey: Drew reached out to FAIR creator Jack Jones with questions. Jack’s personal involvement figures in many FAIR journey stories. Drew asked about how FAIR accounts for controls and Jack told him about his upcoming FAIR Controls Analytics Model, previewed at the recent RSA conference, to be fully revealed at the 2021 FAIR Conference.