Most folks are surprised to learn that the FAIR Institute just turned two, given the wide influence its activities are having in shaping modern risk management programs, where information and operational risk is managed in economical versus mere technical compliance terms, according to standard (FAIR) principles.
An increasing number of organizations all over the globe are looking at the FAIR standard as their new risk model of choice for assessing risk in financial terms, so that business executives and board of directors can finally fulfill their risk governance roles and make well-informed, cost-effective decisions and achieve the right balance between running the business and protecting their organizations.
The FAIR Institute is an expert, non-profit organization led by risk and security officers, business executives and board members. Its mission is to help provide educational opportunities, foster collaboration among its members and develop and share standard risk management practices based on FAIR.
Factor Analysis of Information Risk (FAIR) is the only international standard analytics model for information security and operational risk.
Such anniversaries are a great opportunity to reflect on the accomplishments of the past year and to share what is coming next. Here are some of the highlights:
New memberships have increased pace and have gone global
The FAIR Institute now counts over 2,500 members and is on a pace to approach 4,000 by the end of 2018. The pace accelerated in the last year, as it took 11 months to add the first thousand members, while it took just 8 months to add the next thousand members.
The membership is also expanding geographically beyond North America, with Europe and Asia/Pacific leading the way. The recent formation of new local FAIR Institute chapters in Paris, Abu Dhabi and Melbourne reflects how memberships in those regions is reaching critical mass for supporting local activities.
Blog readership is at an all-time high with the number of blog subscribers exceeding the FAIR Institute membership.
Education opportunities are multiplying and forming the next generation of risk officers
This past few months have been particularly fertile in terms of the multiplication of education opportunities, which has been a constant request by many members who have been struggling to find FAIR-trained talent to staff their quantitative risk management programs:
- A new online, video-based, course on FAIR Fundamentals was launched by RiskLens, the Institute's Technical Advisor, that is also an OpenFAIR training organization accredited by The Open Group. Learn more
- The number of universities that are offering information risk management courses based on FAIR continues to grow, following the launch of a FAIR University curriculum and of the FAIR-U training application. There were 5 universities offering such courses in 2017. That number is growing to 15 in 2018 and there are 15 more interested in offering courses in 2019.
- The SANS Institute, the leading provider of cybersecurity courses, is now planning to hold a week-long training course on risk management based on FAIR during its Fall Baltimore event on Sept. 10-14.
Increased advocacy of policies measuring the effectiveness of security/risk programs (versus more technical compliance)
Institute President Nick Sanna and Director Luke Bader on a Congressional visit.
We have been seeing a shift happening in the thinking of some policy makers, as they recognize the limitations and rapid obsolescence of regulations mandating very prescriptive technical measures to reduce cyber and operational risks. The most forward-thinking of them are starting to see the benefits of encouraging an economical approach to the problem, so that finite organizational resources can be applied to where it matters the most (versus what a one-size-fits-all checklist might tell you).
In the US, this shift is evident in:
- the most recent Executive Order on Cybersecurity mandating agencies heads to report on the effectiveness of their cybersecurity programs and the adequacy of their security budgets. Learn more
- the new SEC guidance for public companies to improve their reporting of top cyber risks in terms of (financial) materiality to the business. Learn more
It is also not surprising then that we have been able to start a dialogue and conduct briefings with both the White House's Office of Management and Budget as well as members of the US Congressional Cybersecurity Caucus.
A 'nota dolens' has been reading the first draft of the proposed 1.1 revision to the NIST Cybersecurity Framework (CSF). While the stated goal of the NIST CSF since its inception has been to enable "cost-effective decision making" as it related to cybersecurity investments, the only risk measurement method that is being proposed by NIST in the draft is a qualitative scale (such as 1-4) that has proven to be both ineffective and misleading in terms of making prioritization and resource allocation decisions. Unless new revisions include references to proven standard quantitative risk models such as FAIR, NIST could set the industry back by proposing methods that FAIR Institute members already know don't work.
Exciting developments lie ahead
An exhaustive list of upcoming activities would be too long for this blog post, so we are listing below a brief selection:
- A new FAIR Institute member community site called LINK is being launched, with the goal of improving the user experience, security and level of collaboration among members and facilitate the access to member resources. Learn more
- A new Standards Committee is forming as part of the collaboration between the OpenFAIR standards holder The Open Group and the FAIR Institute. The first project being tackled by the committee is the alignment of two complementary standards, TBM and FAIR, to enable CIOs and Technology Leader to manage both IT operations and IT security from the business perspective. The results will be presented at FAIRCON18. Learn more
- The Cyber Insurance workgroup is re-starting with new leadership and a new format. A true hands-on working group is being formed with by-invitation-only representatives of brokers, underwriters, buyers of cyber insurance and of the legal profession. The project intends to determine a standard model for assessing cyber risk, with the goal of optimizing cyber insurance coverage. Current members of the workgroup will be briefed on proceedings on a regular basis, ahead of wider industry communication such as FAIRCON18.
- A new US Federal Government chapter will be launched in the spring in Washington D.C., driven by the demand of a growing number of federal government FAIR Institute members. Stay tuned for the announcement on our blog.
In terms of events, it is not too early too sign up for these two trend-setting ones as space is limited:
- FAIR Institute Breakfast on April 17, 2018, during the 2018 RSA Conference in San Francisco, CA. Join FAIR Institute chairman Jack Jones and an expert panel as they unveil and discuss the roadmap to success of FAIR-based risk management programs. Sign up here
- 2018 FAIR Conference (FAIRCON18), that will be held on Oct. 16-17 at Carnegie Mellon University in Pittsburgh, PA. Join your peers as they discuss and shape the future of information and operational risk management. Register here.
As President of the FAIR Institute, I would like to conclude this anniversary note by thanking the Institute's leadership and its members who have been offering countless hours and their best ideas on a volunteer basis for the sake of advancing the profession. You are turning the vision and aspirations of a few into a movement that is benefitting the industry at large. I am humbled and inspired and look forward to continue the journey with all of you and all those that will join the movement towards risk economics.