“Most often, this means that FAIR analysis results are valuable in making one or more decisions. Getting a quick win is important because a clock starts ticking as soon as you get the go-ahead. This clock represents a sort of ‘expiration date’ before interest and support begin to wane as other imperatives tug at stakeholder attention.”
It’s a message confirmed by successful FAIR program managers again and again. But how do you find your targets of opportunity, then produce fast decision support based on risk quantification? Here’s some advice from FAIR practitioners:
A popular starting point for a FAIR program: triage the top risks of the organization by loss exposure in dollars. The result is impressive but, as the FAIR program leaders from Werner Enterprises told the 2020 FAIR Conference, the analysis speed is the result of putting in the prep work to gather loss tables, an asset library and risk scenarios (Werner used the RiskLens platform).
A tip from the Werner team: For data gathering, “know when enough is enough…This is triage, rapid response, and should be a responsive and relatively short process.”
Video: How to Rapidly Triage Issues with FAIR to Focus on What Matters Most
Video: FAIR Risk Analysis for Daily Decision Support
Fannie Mae CISO Chris Porter told a classic quick-win story at a FAIR Institute breakfast in 2018: The IT team was resistant to putting the effort into fixing a critical vulnerability in a crown jewel application that was close to retirement. Chris did a quick FAIR estimate showing the range of potential losses if the vulnerability were to be exploited—then asked the IT team if they would accept that risk. “They got it fixed in three days.”
3 Tips on Introducing FAIR to Your Organization
Implementing FAIR Risk Management at DoorDash at ‘1,000 Miles a Minute’
Another story from Sarina Hothi at DoorDash: “People come in with an edge case and say XYZ is a huge problem and now the end of the world is coming. By going to the FAIR taxonomy and asking questions like ‘How often has the end of the world truly happened? What threat would cause the world to end?’, more often than not we come to the conclusion that the issue at hand is not really a priority. That five minutes spent verbally going through the taxonomy has probably helped me save hundreds of hours.”
>>Automate data collection
>>Template data intake forms
>>Integrate with existing decision-making processes
3 Quick Steps for FAIR Program Maturity