The FAIR Institute breakfast during the recent Gartner Security & Risk Management Summit was an opportunity for FAIR newbies to soak up advice from veteran practitioners. Nick Sanna, President of the FAIR Institute, gave the keynote followed by a panel of:
Nick led off with some fundamentals that were first presented by FAIR author Jack Jones in San Francisco earlier this year: Adopting FAIR means operationalizing it – baking it in to risk management processes – but that could mean as little as using FAIR terminology to better understand risk up to quantifying risk for all strategic and many tactical decisions.
He answered two misconceptions that often come up in early stages. First, success in adoption has nothing to do with an organization’s “maturity” level in risk management. Second, it has nothing to do with how much data is available.
On the other hand, success does hang on two prerequisites:
Nick recommended that a FAIR evangelist find executive champions as guides for action, then look for an initial project to prove out FAIR with some key characteristics: Meaningful results, achieved quickly, and easily visible to executive decision-makers. With some quick wins under your belt, Nick next advised looking for long-term integration of FAIR into ongoing processes.
One questioner asked about this paradox: The better the risk assessment team became at quantitative analysis, the better they could answer NIST CSF questions, the worse their scores came out, compared to their previous record – tough to explain to management.
The panel agreed that there’s an education process for management, and Chip Block said to also expect to see the opposite effect in estimating risk in monetary terms when using the discipline of a taxonomy to clarify the inputs of risk. “FAIR loss estimates come in significantly lower because in the cyber world, we love to count risks two or three times on top of each other and analyses get bigger and bigger till the company is going out of business and California is going to fall into the sea.”
Another questioner asked for the best approach to introducing quantitative analysis to an organization where qualitative is firmly entrenched. Wade Baker suggested a half step: “Take those qualitative inputs from experts and pull them into a better way of organizing them, better than arguing in a room. Then ask, ‘where do we have most uncertainty and what data do we have that would help us close those uncertain bounds?’ and start your quantitative data collection there.”
Christina Nelson told her introduction story:
“There was a lot of opposition to the idea of quantifying operational risk. We took a heavy education approach.” First off, was a two-hour seminar on FAIR and its use, then a workshop presenting some relevant scenarios, then day-and-half sessions in which teams scoped and created their own scenarios, then sessions of the same length of data gathering and measuring. “Telling just wasn’t enough. You have to have people involved in creation.” To emphasize executive support for the FAIR initiative, VPs and senior VPs from Walmart stopped by to show support.
Wade Baker: “Get to know the FAIR model really well because that’s where most discussions will be had; the measurement and quantification aspects will be layered on top of that.”
Chip Block: “Start with a ‘why’ question and the why isn’t ‘what is the total risk to our organization?’. Pick something that is going to be valuable right up front: how much insurance should I buy; should I replace this system? Once they see that, they start to see the value.”
Christina Nelson: “Being very transparent, communicating what you’re going to do with your results. When people are not used to being measured, they start to get very nervous.”