To launch and sustain a risk management program anchored on FAIR™ (Factor Analysis of Information Risk), you’re going to need executive support, first for the resources to get the program off the ground and then to build support around the organization that will weave quantitative cyber risk analysis into the fabric of decision-making.
Based on years of experience of successful quantitative risk management, FAIR Institute members tell us that these are milestones to winning executive buy-in.
Introduce FAIR to Executives as the Tool to Translate Cyber Risk into the Business Terms They Know
Executives ingest financially based reporting all day – yet somehow the notion got loose that the cyber team should brief executives with non-financial, technical metrics (“cyber-babble,” FAIR creator Jack Jones calls it) or dumbed-down red-yellow-green risk ratings. “In my experience, if cyber/technology risk information is put in front of them in a way they can wrap their heads around, they very often prefer numbers,” Jack writes, particularly numbers that quantify in dollars the risk reduction value of cyber initiatives. “FAIR is bridging the gap on ROI and that takes us much closer to speaking in the same language as our business stakeholders,” says Mary Elizabeth Faulkner, VP and CISO at Thrivent.
Emphasize that FAIR Is Credible and Widely Accepted by Their Peers
The FAIR Institute numbers tell the story: 15,000 members representing 50% of the Fortune 1000. The FAIR model has been recommended as a best practice in risk management by the National Institute of Standards and Technology (NIST). Another credibility builder: the data for FAIR analysis can come from real time feeds generated by a company’s own cybersecurity telemetry, plus well-researched industry standard data, and vetted by their organization’s own subject matter experts. Finally, FAIR wins on credibility because it is transparent: We can explain in detail how the analysis was performed and the assumptions underlying it – no black boxes in sight.
Get Some Quick Risk Analysis Wins – But Pick the Most Relevant Risk Scenarios
FAIR program-builders all agree that presenting some sample, completed quantitative cyber risk analyses are impressive conversation starters with executives. But take care that they show the kind of business value that executives want to see. Omar Khawaja, Field CISO at Databricks, has suggested focusing on the business outcomes of risk reduction, compliance, operational excellence and customer experience. “If your project is not improving one of those business outcomes, there’s no point presenting it.” Cyber Risk Specialist Pierre Olodo at the luxury goods company Richemont suggests looking along the value chain or lifecycle of a product – for instance, his FAIR group ran analyses on cyber risk at each stage of the manufacturing process.
Ease this Pain Point: Show How FAIR Enables Prioritization of Cyber vs Other Investments
Jack Jones says “The executives in any organization — especially large ones — have way more on their plates than they can ever hope to fully accomplish. As a result, they have to prioritize, and effective prioritization requires effective comparisons, which in turn require effective measurements.” Showing a high-level cost vs. benefit estimate clarifies decisions for executives for prioritization among cybersecurity initiatives based on the dollar value of risk reduction but just as important, enables comparison among cyber and non-cyber investments. Widening the focus, quantification puts cyber in perspective with the rest of enterprise risk management – and ultimately wins the support of the board.
