This is what a movement looks like. Membership in the FAIR Institute has now passed 3,000, about double the level of a year ago, as cyber risk quantification wins converts across industries and government agencies – and FAIR (that’s Factor Analysis of Information Risk) emerges as the risk quantification model of choice.The drivers of change are coming from all directions:
- From boards demanding reporting on cyber risk in financially based metrics in line with the rest of enterprise risk management; they’re fed up with FUD, the fear, uncertainty and doubt that’s been used to shake budget out of them by old-school cybersecurity departments.
- From a new breed of business-aligned CISOs who find that following compliance-based maturity models leaves them with stacks of security solutions and the realization that more controls are not better.
- From government, with regulators at the SEC and the New York Department of Financial Services demanding that companies proactively disclose risk in monetary terms, and federal watchdog OMB telling agency CISOs to expect a “risk-based budgeting process” to come soon.
- From industry thought leaders, like Gartner that recently added “risk quantification and analytics” to the list of critical capabilities that forward-looking companies must include it their Integrated Risk Management regimes. Or RSA Archer that this year added the FAIR-based Cyber Risk Quantification application to its industry-leading GRC solution.
It’s estimated that already 30% of the Fortune 1000 use FAIR in some fashion and that’s projected to grow to 50% by 2020. Some of the FAIR-empowered organizations active in the Institute include Bank of America, Cisco and ADP. These leading thinkers are joined by an impressive list of other organizations and security and risk professionals.
No wonder word about the FAIR Institute is spreading – and virally. The typical new member comes from word-of-mouth referrals (including via our growing roster of local chapters) or internet searches. See our growth stats in the infographic below.
Another marker of the growth of FAIR and risk quantification is in training and education. In the past year, the Institute's FAIR training program launched new courses, including an online/video course, for professionals seeking hands-on experience leading to FAIR certification by The Open Group. At the end of 2017, the FAIR Institute introduced the FAIR-U app, a free training tool for performing FAIR analyses. Most telling that the future is FAIR: the growth in the University Curriculum, now offered for formal education in risk quantification at 15 universities, including Carnegie Mellon and other top schools.
Taking into account what we're hearing from our partner community - including RiskLens, RSA and RiskRecon - about a surge in adoption of their solutions for the enterprise enablement of FAIR - all signs point to one conclusion...there is a revolution underway and you as FAIR Members are leading it.
If you are reading this and you aren't already a FAIR member - now is the time to signal to the world that you too are a leading thinker in the area of cyber risk.
Join the movement.
Sign up for FAIR Institute membership (it’s free) and connect with FAIR practitioners around the world on our Link discussion boards.
Join a local chapter and meet and learn from FAIR fans in your town.
And attend the 2018 FAIR Conference, the single most important event for furthering your FAIR and quantitative risk management knowledge (and your network), this year to be held October 16-17 on the campus of our co-sponsor, Carnegie Mellon University in Pittsburgh, PA. Register now.