But there’s been one outlier, cybersecurity; CISOs couldn’t communicate cyber risk and return in financial terms. FAIR solves that problem, and no surprise that organizations running TBM programs are also signing up for FAIR.
The TBM Council, the FAIR Institute and the Open Group (holder of the OpenFAIR Standard) are working now on aligning the two standards to speed up this integration.
At the recent 2018 FAIR Conference, Institute Chair Jack Jones hosted the panel discussion “FAIR & TBM: Two Standards Come Together for Managing Technology and Risk from the Business Perspective”, with Todd Tucker the TBM Council’s VP, Standards, Research, and Education, and TBM practitioner Paula Medders, Senior Program Manager - Cyber Security, HPE.
“If I were a CISO and found out my organization was engaged in TBM, I’d be all over that,” Jack Jones comments. “I can’t begin to count the number of security people who say, ‘I don’t know what I don’t know.’ There are all kinds of opportunity for visibility into the risk landscape, for data points for the kinds of things we want to measure from a risk standpoint.” As example, Jack points to measuring the impact in a FAIR analysis on ransomware and being able to see all the connections among affected applications and the business processes they serve.
Paula Medders shared her project documents showing how HPE applied TBM to cybersecurity functions in a transformation very much like a FAIR implementation – moving from “a capability mindset to service-oriented mindset,” as she says, and showing “how cybersecurity adds value above and beyond the cost of spend.”
Medders says the TBM approach combined with FAIR can be an effective tool of persuasion for CISOs by providing “visibility to business partners on how they could impact the cost of cybersecurity in their business” by, for instance, reducing risky practices. TBM can also be used to make the case for cybersecurity budget, she says. Watch the video now.
Related: More coverage of the 2018 FAIR Conference