Watch the video of the panel discussion (FAIR Institute membership and LINK community site membership required).
Also on the panel:
The discussion was filled with actionable insights based on the first-hand experiences of FAIR practitioners and authorities on standards. Among the advice:
“You should not leverage one framework or standard,” says Michael Parisi. Learn to marry up, for instance, HIPAA for healthcare or ISO for international operations with cybersecurity standards. “Transparency is key, regardless of what we are using for a risk assessment framework,” he adds, with the underlying assumptions and model made clear (as is the case with FAIR).
Take a business-first, not security-first point of view.
Ian Amit gave a detailed account of what he calls an MSSP model for security at Cimpress, where the business units are the drivers on cybersecurity based on their acceptance of risk (as indicated by FAIR analysis), with the security team offering them a choice from a menu of services, based on the CSF. “It took some courage for security to let the businesses make the decisions for themselves,” he says, but it became clear that most of the risk-based security choices really were business decisions. “We’ve seen a lot of positive response to this approach from the businesses.” (Hear Ian describe how he implemented and runs his FAIR program, working with RiskLens, the technical adviser to the FAIR Institute, in this webinar: Combining NIST CSF and FAIR to Drive Better Cyber Risk Decisions.)
Don’t be afraid to experiment
“You will definitely try things and they will fail," counsels Jason Martin. “We basically had to throw out our risk register,” dropping from 50 risk statements to nine after FAIR analysis. “It gave our internal auditors a heart attack…We had to balance those worlds and that took some trial and error to get there.”
Think of FAIR, CSF or HITRUST as conversation enablers
Both Ian and Jason spoke about the benefits of demystifying security and phrasing it in the language of business: costs and benefits. “Conversations are 10 times easier” with partners in the business, says Jason. “We are now speaking in terms they can actually relate to.” And “not just pointing to a single framework but (an approach) that encompasses multiple viewpoints and frameworks” gives business decision makers more confidence.”
Watch the video of the panel discussion “Building a Cybersecurity Program with a Risk Management Framework & FAIR.” FAIR Institute membership and LINK community site membership required.
Related:
More coverage of all the panels and sessions at the 2019 FAIR Conference.