Sarina Hothi first heard about FAIR™ (Factor Analysis of Information Risk) at her job interview at DoorDash, the fast-growing, fast-moving food delivery service. She was so impressed, she went home and started studying the FAIR book. Good thing, because DoorDash quickly hired her as Security Project Manager to roll out its FAIR program.
Hothi found value right away in applying FAIR thinking. “Even in the early stages of implementation, FAIR has helped us communicate and determine what’s actually at risk. It benefited not only DoorDash but my own professional growth.”
Her first challenge: Prioritize and develop a program around an “exhaustive list of broad recommendations” from a consultant that had just completed a security assessment of the company. “In the security world, there’s always a million things you can and should do. I have to admit, it was a bit overwhelming to prioritize and roadmap the list of recommendations while trying to stand up a FAIR program.”
For help, DoorDash brought in two experts at FAIR program launch, Protiviti and RiskLens, and dove into the problem in a way that “sounds like we were a little scattered but DoorDash is very much a Silicon Valley startup. We are always going a thousand miles a minute and often we had multiple things moving in parallel.”
The team ran an initial Rapid Risk Assessment with the RiskLens platform. “We hadn’t yet completed the analysis of all our assets in RiskLens. We knew our top risk scenarios were, based on our initial comprehensive triage analysis.
“By looking at how some of the scenarios were set up in RiskLens, we were able to decompose the problem and narrow down the recommendations given to us, which led to much easier conversations for our stakeholders” – and an initial scoped project.
That was good enough for the security engineers. “By the time Protiviti and I had completed the threat assessment of our assets, the engineers had already started working on the project we had scoped, and had started implementing the controls. We were able to go back and do a comparative analysis, to look at our risk pre- and post-controls. This really helped us tell the story of the impact these projects were having from a dollars perspective.”
With the FAIR program at DoorDash still less than a year old, Hothi now finds FAIR useful for the day-to-day prioritization issues for security at a startup. “People come in with an edge case and say XYZ is a huge problem and now the end of the world is coming. By going to the FAIR taxonomy and asking questions like ‘How often has the end of the world truly happened? What threat would cause the world to end?’, more often than not we come to the conclusion that the issue at hand is not really a priority. That five minutes spent verbally going through the taxonomy has probably helped me save hundreds of hours.”
Learn Sarina Hothi’s tips for launching a FAIR program - watch the video of the DoorDash session at FAIRCON2020.