Educating Tomorrow’s Cyber Risk Leaders: The FAIR Institute’s Vision for Training & Certification
Education is core to the FAIR Institute’s mission for a good reason: there are not enough qualified cyber risk professionals to satisfy the demand. So the FAIR Institute develops and offers a robust set of training offerings, as both instructor-led training and online. These include the FAIR Analysis Fundamentals course, which is accredited by The Open Group to prepare students for the Open FAIR™ certification, as well as the more recently developed Cyber Risk Management for Executives delivered through both Coursera and the FAIR Academy.
Authors: Todd Tucker is Managing Director, and Pankaj Goyal is Director, Standards and Research, at the FAIR Institute
Beginning in 2025, our members and the broader cybersecurity community will benefit from an increased investment by the FAIR Institute in training and certification, along with new learning tools and opportunities. We are revamping our fundamentals offering and developing new courses, and we will launch our own professional certification program.
The reasons for the increased investment include:
>>The professional roles that are actively engaged in cyber risk management have expanded over the years, meaning that a more diverse catalog of training is needed. We must educate not only cyber risk professionals and CISOs but also board members, enterprise risk management officers, and non-CISO executives.
>>The risk landscape, especially for cyber, has evolved and continues to evolve rapidly. Consider just a few recent examples: cybersecurity disclosure requirements have elevated the importance of materiality assessments; AI has created many new risk vectors and scenarios; and supply chain risk has become a top priority while digital supply chains have become larger and more complex. Our training must keep up with what’s going on in industry.
>>The FAIR model has expanded deeper into cyber risk with ancillary standards and use cases. The FAIR Control Analytics Model (FAIR-CAM), along with the FAIR-CAM Controls Library, link cybersecurity controls to cyber risk factors in the FAIR model. Meanwhile, the FAIR Materiality Assessment Model (FAIR-MAM) provides greater specificity into loss magnitude. We must incorporate these elements of our framework into our training.
>>The data landscape for cyber risk management has also evolved. Cyber risk professionals need to understand the role of data in their jobs and how to work with data owners. This encompasses asset data such as that from CMDBs, asset management tools, and cloud providers; vulnerability and control assessment data from scanners, endpoint security solutions and configuration management tools; and threat intelligence data on malicious actors, their exploits and techniques. It also includes metadata models such as MITRE ATT&CK and MITRE CVE. Practitioners need to know how these all fit together to measure and manage risk.
>>Finally, organizations have made big strides in automating cyber risk quantification and management with FAIR, making it simpler, data-driven and potentially more defensible. A principle of our framework is that cyber risk must be managed continuously, meaning an enterprise cyber risk management system is a necessary component. Gone are the days of point-in-time (often annual) assessments for cyber risk. Our training must teach professionals how this is done.
You will begin to see the results of these investments in the coming weeks. We will start with the “FAIR Institute Practical Guide to Developing Cyber Risk Scenarios” to improve an essential discipline of cyber risk management. We will also launch a new online course called, “Cyber Risk Management for Board Members,” to help educate audit and risk committee members of the board as well as other directors on their responsibilities for cyber risk management oversight. This course will be available on Coursera first and FAIR Academy later.
Starting in 2025, we will publish a cyber risk management framework including principles, standards, best practices and additional guides. This framework will shape the training that we offer and will grow and evolve based on the work of our community, including our standards body working groups, research boards, and other collaborations.
In the first part of 2025, we will launch a new course called “FAIR Cyber Risk Analysis.” This course will teach how to use the FAIR model, FAIR-CAM and FAIR-MAM in concert to measure and manage cyber risk. The course will also cover: defining and prioritizing cyber risk scenarios; identifying cyber risk data sources; required capabilities for continuous cyber risk management; communicating cyber risk to stakeholders; and creating and executing risk treatment plans.
In time, we will offer a suite of courses to support a robust FAIR cyber risk management certification scheme. This scheme will help satisfy the learning needs of cyber risk management analysts (i.e., those professionals who perform risk assessments, monitoring and treatment planning) and cyber risk management leaders (i.e., those professionals who build and run cyber risk management programs and communicate to senior executives). Courses and certifications for other professionals will follow.
Finally, we will be replacing the existing “FAIR-U” tool originally developed by RiskLens with two tools designed for different use cases. First, to provide an experience for non-cybersecurity learners, we will develop and offer a FAIR spreadsheet-based app that provides many of the features of today’s FAIR-U, but with the advantage of being more transparent to FAIR learners. Learners will be able to see the formulas behind FAIR and be better able to understand its mathematics. The FAIR-U spreadsheet will be offered sometime in the first half of 2025.
Second, we have collaborated with our technical advisor, Safe Security, to provide a free, cybersecurity risk management tool for learners called FAIR-U for Cyber. The tool, powered by the Safe One platform, will allow users to build risk scenarios, define assets, manage financial inputs, integrate pre-built data sources, perform risk reporting and more. Users will better understand how data plays into the model as integrated using FAIR-CAM and they will see how FAIR-MAM is used to understand loss magnitude. They will experience use cases such as continuous controls monitoring and prioritization, risk-based vulnerability management, attack surface management, and executive reporting.
We will email registered users of the original FAIR-U in the coming days to notify them that its support and availability will be ending at the end of December and provide more information about the new offering.
As announced at FAIRCON24 in October, we are developing a cadre of certified instructors to help teach our courses around the globe. We firmly believe that students learn best from practitioners who are empowered to teach. Our certified instructor program will make this possible. If you would like to learn more about becoming an instructor, reach out to us at InvolveMe@FAIRInstitute.org.