In the eBook An Adoption Guide for FAIR, Jack Jones wrote, “there are two primary considerations when selecting a starting point for [FAIR™] adoption that has executive visibility: meaningful results, achieved quickly.
“Most often, this means that FAIR analysis results are valuable in making one or more decisions. Getting a quick win is important because a clock starts ticking as soon as you get the go-ahead. This clock represents a sort of ‘expiration date’ before interest and support begin to wane as other imperatives tug at stakeholder attention.”
It’s a message confirmed by successful FAIR program managers again and again. But how do you find your targets of opportunity, then produce fast decision support based on risk quantification? Here’s some advice from FAIR practitioners:
Run a top risks analysis with FAIR
A popular starting point for a FAIR program: triage the top risks of the organization by loss exposure in dollars. The result is impressive but, as the FAIR program leaders from Werner Enterprises told the 2020 FAIR Conference, the analysis speed is the result of putting in the prep work to gather loss tables, an asset library and risk scenarios (Werner used the RiskLens platform).
A tip from the Werner team: For data gathering, “know when enough is enough…This is triage, rapid response, and should be a responsive and relatively short process.”
Don’t waste a crisis
When COVID hit, an overseas vendor told a major US healthcare company that it was moving employees to working at home. The US company had to decide very quickly whether it could tolerate the resulting risk. The FAIR team stepped up, and over a six-week period, ran more than a dozen analyses, as management demanded granular insight into different vendors running different processes, as team leader Kurt Zanzi told the 2020 FAIR Conference.
Settle a dispute with Risk Quantification
Fannie Mae CISO Chris Porter told a classic quick-win story at a FAIR Institute breakfast in 2018: The IT team was resistant to putting the effort into fixing a critical vulnerability in a crown jewel application that was close to retirement. Chris did a quick FAIR estimate showing the range of potential losses if the vulnerability were to be exploited—then asked the IT team if they would accept that risk. “They got it fixed in three days.”
Jump into a project in progress
A large consulting company had delivered a high-level cyber risk assessment to DoorDash but the engineers on a project needed a fine-grained risk analysis fast. As FAIR program manager Sarina Hothi told the 2020 FAIR Conference, just by setting up relevant risks as loss-event scenarios, the engineers got the insight they needed to move ahead with implementing controls. “We were able to go back and do a comparative analysis, to look at our risk pre- and post-controls. This really helped us tell the story of the impact these projects were having from a dollar perspective.”
Do back-of the-envelope FAIR risk analyses
Another story from Sarina Hothi at DoorDash: “People come in with an edge case and say XYZ is a huge problem and now the end of the world is coming. By going to the FAIR taxonomy and asking questions like ‘How often has the end of the world truly happened? What threat would cause the world to end?’, more often than not we come to the conclusion that the issue at hand is not really a priority. That five minutes spent verbally going through the taxonomy has probably helped me save hundreds of hours.”
Tune Your FAIR Risk Analysis Engine to Go Even Faster
Caleb Juhnke, Sr. Risk Engineer at Equinix and winner of the 2022 FAIR Ambassador award from the FAIR Institute, suggests three ways to accelerate an established risk quantification program:
>>Automate data collection
>>Template data intake forms
>>Integrate with existing decision-making processes