FAIR Institute leaders and members like to practice critical thinking and questioning conventional wisdom, and those skill sets can generate a steady supply of fresh insights into cybersecurity specifically and risk management generally. Here’s a sampling from FAIR Institute blog posts published in the six months of 2022 just past.
1. Cybersecurity controls should be assessed based on their risk reduction value.
Blog post: 3 New Ways to Think about Cybersecurity Controls
That may sound like an obvious statement, but in conventional cyber risk management, the risk reduction value of controls is just assumed, not measured. FAIR creator Jack Jones developed FAIR-CAM™ (the FAIR Controls Analytics Model) to categorize controls, clarify their inter-relationships and assign them units of measurement for reliable analysis of their effectiveness.
Stay up to date with the leaders in advanced risk management - join the FAIR Institute.
2
. Without good measurement, advancements in risk analytics like automation or machine learning will simply be faster routes to unreliable results.
Blog post: Jack Jones Speaks at RSAC22 on the Future of Cyber Risk Measurement
In his RSAC Conference talk and a blog series on automation, Jack made the point that without careful scoping of risk scenarios for analysis, a model that accounts for the nuances of controls effectiveness, and accurate data carefully applied to modeling, the much-publicized hopes for AI for cyber risk management would not develop.
3. FAIR practitioners should also practice empathy.
Blog post: Understanding and Managing Skeptical Stakeholder Reaction to Quantitative Cyber Risk Analysis
Caleb Juhnke, Co-Chair of the Kansas City chapter of the FAIR Institute and a Cyber Risk Quantification Expert at Equinix, wrote that “The understanding that the stakeholder is operating under a series of assumptions and inclinations against objective analysis should gently guide the conversation towards a resolution…Influence change with a scalpel not a hammer.”
4. You deliver value when you influence decisions.
Blog post: How Long Does It Take to Launch a FAIR Program?
Chad Weinman of RiskLens laid down markers for success in a quantitative risk management program: Launch in 90 days and you’re not launched till you “produce a report that’s used to inform a risk-based decision, for instance to prioritize a new control/project or to accept a risk based on your analysis.”
5. Security people should stop obsessing over mitigation.
Blog post: Jack Jones Speaks at RSAC22 on the Future of Cyber Risk Measurement
Longtime FAIR expert Tony Martin-Vegue, Senior Information Security Risk Engineer at Netflix, joined Jack on the RSAC stage with some pointed advice: Security people should get into the habit of talking about security “investments” that can be prioritized for cost vs. benefit and stop obsessing over risk mitigation. Tony said that “return on investment” is now his most requested analysis at Netflix. Tony’s advice dovetails with the presentation by enterprise risk management authority James Lam, speaking at the 2022 FAIR Conference Series quarterly event, who gave advice on presenting risk analysis to the board, with tips such as “discuss risk in terms of business opportunities” and “relate quantified risk to risk appetite.”
