In an article for Forbes Technology Council, Two Frameworks For Securing A Decentralized Enterprise, Ian Amit, Chief Security Officer at Cimpress (parent company of Vistaprint), tells how he combines the NIST CSF and the FAIR model to handle a challenging situation: multiple, independently operated business units, each with their own security implementation and prioritization.
“Our security organization has two main tasks,” Amit writes, “providing clear and transparent metrics for security maturity and providing a means for measuring (really, this means quantifying) risk in a way that supports decision making around changing controls.”
Using NIST CSF to assess the security maturity of each BU & FAIR to quantify their top risks
For the maturity metrics, Cimpress uses NIST CSF. “There are many approaches to using this framework, ranging from self-attested surveys to fully automated and continuously updating platforms.
“The technique is less of an issue than the ability to create a clear reflection of each business’ maturity levels and, of course, set a minimal or sought-after maturity level…
“In our specific implementation, we simplified the framework in terms of the number of maturity levels and provided focus on several specific subcategories that we defined as 'basic security hygiene.'
Cimpress relies on FAIR “to prioritize these tasks of closing maturity level gaps”, first because FAIR is used in the company’s enterprise risk management (ERM) program, ensuring “relevancy and context for our business leaders.”
The business units identify their top three to five problems, then Amit’s team runs the FAIR analyses on probable losses for those scenarios and factors in recommended controls.
“Beyond providing a more realistic reflection of risk (while shying away from high/medium, red/green, etc. qualitative measures), we also create an immediate feedback loop.
“At this point, we’ve turned security and risk management into a business problem that’s more ‘easily’ solved through financial measurements of recommended changes and their impact to previously expected losses.”
Amit’s advice on both implementing NIST CSF and FAIR: Tailor each to your organization’s needs, simplifying if necessary for the sake of clear communication to the business about cyber risk and mitigation.
Expect more success stories like Ian Amit's to emerge in 2019, as momentum builds behind FAIR practice, and companies experiment with adapting their existing frameworks like NIST CSF to risk quantification.