Here’s Jack’s blueprint for successful FAIR adoption:
More highlights from the FAIR Institute Breakfast at the end of this post.
Choose a direction
Decide what you want to accomplish with FAIR and how that fits into an overall risk management objective. Organizations typically “might have clear compliance goals or technically driven goals but rarely have a clearly overarching objective for the risk management program.”
Go with the momentum
Most organizations are barreling along in one direction “driven by culture,” Jack said, and you won’t succeed by standing out in front and telling folks they’re going the wrong way. If you want to steer in a new direction you first need to find ways to influence the drivers by “finding shared interests and finding their pain.”
Meet the prerequisites
And there are two:
1) A starting point – a good, clear reason why your organization should adopt FAIR, based on the pain points you hear from stakeholders.
2) Critical thinkers who can break problems down into component parts, and make calibrated estimates, that is, think in terms of ranges of possibility as opposed to black and white.
Choose your depth, scope and speed
To get your arms around a FAIR launch, limit your scope to a risk issue where you can “gain a solid foothold and demonstrate value on something”—for instance, a better approach to qualitative analysis of cyber risk that might reduce the list of high-level issues.
Pick your depth: You might apply FAIR to start at just a basic level, for instance, changing how the organization thinks and communicates about risk (introduce the vocabulary of the FAIR model.)
Ditto for velocity on the introduction: Baby steps might be fine if there’s a clear goal in sight. Remember that organizations can reach a “point of saturation” on change and you don’t want to go so fast that you “introduce more problems than you solve.”
Understand the culture. Find your champions
“It takes a village; you will not do this by yourself.” Identify the key stakeholders who care the most about risk management. “Build your strategy on what people will rally around”. Socialize FAIR concepts by talking about challenges the organization has because of bad risk management.
Achieve initial objective as quickly as possible
Jack suggested you find an objective you can achieve through FAIR in roughly 90 days—an organization’s “attention span is limited.” Example: An analysis of which solution would be most cost-effective in reducing cyber risk in a particular case.
Be prepared for the challenges
Dispel the myths, for instance the notion that you can’t measure cyber risk quantitatively because it is a special snowflake unlike anything else in the universe. Or “this is how we’ve always done it before” – but does it work? Or “this isn’t what COBIT says.” Or “we don’t have enough data” (focus on just getting enough information to make better decisions, not perfect decisions, Jack advised).
Seek long-term integration opportunities
“It’s about baking FAIR into the process” of an organization to drive permanence. Jack gave as an example the Risk Control Self Assessment (RCSA) that banks run every quarter to assess operational risks. Another approach: demonstrate value to key stakeholders and the board so that they say “I’m not satisfied with [non-quantitative] heat maps anymore.”
More on the FAIR Institute breakfast…
FAIR Institute President Nick Sanna kicked off the event by reflecting on how far the Institute has come in two years of existence, now at 2,600 members heading toward 4,000 by year end, and in the process “becoming a force of progress, a force of change.”
“Jack Jones looked like a prophet in the desert three years ago at RSA,” Nick said, and this year, RSA President Rohit Ghai talked up FAIR in his keynote address to the conference. “It’s great to see when the leader in an industry says we believe in FAIR, we are moving from a compliance view of cybersecurity to a risked based view where we can make business-based decisions. It means the industry is moving and we are affecting progress.”
Nick said that “we are also becoming a force of change in government”, with Institute leadership and members recently invited to Congress and the White House to discuss how FAIR might aid the government’s cybersecurity modernization plans. “They are looking for models to fulfill a mandate to measure cost effectiveness,” Nick said.
Nick introduced John P. Carlin, who chairs the Global Risk and Crisis Management practice for breakfast event host Morrison Foerster, and a former Assistant Attorney General for the U.S. Department of Justice’s National Security Division. Carlin gave a quick history of government efforts to bring risk awareness to national security thinking, including an effort he led at the FBI base budgeting on quantitative comparisons of risks.
In his new role as a corporate adviser in the private sector, Carlin said he finds that cybersecurity “is the top of mind issue for boards and C-suites and the thing that they are struggling with, which is why the FAIR Institute product is excellent, is they just don’t know what they are supposed to do…to exercise their duty of oversight…they’re looking for quants that can help drive the qualitative discussion they need to have.”
Also speaking at the event were FAIR chapter leaders Chip Block (Washington, DC) and Tony Martin-Vegue (San Francisco), who reflected on how the FAIR Institute has grown: Two and a half years ago, he led the first meeting of the San Francisco chapter. “It was me sitting alone in a bar. And no one ever came.” The chapter membership now is around 100.