Don’t think of cybersecurity standards and frameworks as checklists – think of them as recipes with plenty of room for “season to taste.” That was the message coming out of a panel discussion at the 2019 FAIR Conference on the topic “Building a Cybersecurity Program with a Risk Management Framework & FAIR,” led by Jack Freund, co-author of the FAIR book, and recently the advisor to the National Institute of Standards on its proposal to mix in the FAIR model to its Cybersecurity Framework (NIST CSF), the most popular set of infosec guidelines in the U.S. (Learn more in this blog post: NIST Maps CSF to FAIR.)
Watch the video of the panel discussion (FAIR Institute membership and LINK community site membership required).
Also on the panel:
- Ian Amit, CSO, Cimpress, winner of the FAIR Business Innovator award at FAIRCON19 for his creative work introducing FAIR to a global, diversified company. Cimpress was also recognized by NIST with the publication of a case study of FAIR at Cimpress.
- Jason Martin, GRC Team Manager, Highmark Health, an organization also gaining wide attention for pioneering FAIR in the healthcare industry. Ask your questions about FAIR implementation when Jason appears at an upcoming FAIR Institute webinar, Monday, Nov. 18th, 2 PM ET – register now.
- Michael Parisi, Vice President Assurance Strategy, HITRUST, keeper of the health industry cybersecurity framework now expanding into other industries (and looking to incorporate FAIR – see this blog post from RiskLens: Enhancing HITRUST Risk Assessments with Cyber Risk Quantification).
The discussion was filled with actionable insights based on the first-hand experiences of FAIR practitioners and authorities on standards. Among the advice:
The choice isn’t FAIR or NIST CSF. Work with multiple frameworks for your best results.
“You should not leverage one framework or standard,” says Michael Parisi. Learn to marry up, for instance, HIPAA for healthcare or ISO for international operations with cybersecurity standards. “Transparency is key, regardless of what we are using for a risk assessment framework,” he adds, with the underlying assumptions and model made clear (as is the case with FAIR).
Take a business-first, not security-first point of view.
Ian Amit gave a detailed account of what he calls an MSSP model for security at Cimpress, where the business units are the drivers on cybersecurity based on their acceptance of risk (as indicated by FAIR analysis), with the security team offering them a choice from a menu of services, based on the CSF. “It took some courage for security to let the businesses make the decisions for themselves,” he says, but it became clear that most of the risk-based security choices really were business decisions. “We’ve seen a lot of positive response to this approach from the businesses.” (Hear Ian describe how he implemented and runs his FAIR program, working with RiskLens, the technical adviser to the FAIR Institute, in this webinar: Combining NIST CSF and FAIR to Drive Better Cyber Risk Decisions.)
Don’t be afraid to experiment
“You will definitely try things and they will fail," counsels Jason Martin. “We basically had to throw out our risk register,” dropping from 50 risk statements to nine after FAIR analysis. “It gave our internal auditors a heart attack…We had to balance those worlds and that took some trial and error to get there.” Talk about heart attack: Jason’s boss Omar Khawaja, CISO at Highmark, has a standing challenge to team members to eliminate one control, based on FAIR analysis. “We’re still having that conversation” with the auditors, Jason says.
Think of FAIR, CSF or HITRUST as conversation enablers
Both Ian and Jason spoke about the benefits of demystifying security and phrasing it in the language of business: costs and benefits. “Conversations are 10 times easier” with partners in the business, says Jason. “We are now speaking in terms they can actually relate to.” And “not just pointing to a single framework but (an approach) that encompasses multiple viewpoints and frameworks” gives business decision makers more confidence.”
Watch the video of the panel discussion “Building a Cybersecurity Program with a Risk Management Framework & FAIR.” FAIR Institute membership and LINK community site membership required.