FAIR Institute Blog

How to Combine NIST CSF and FAIR™ to Drive Better Cyber Risk Decisions – Watch this Webinar on Demand

[fa icon="calendar"] Jan 22, 2020 11:24:50 AM / by Luke Bader

Luke Bader

Jack Freund and Ian Amit at 2019 FAIR ConferenceIn this webinar sponsored by our technical advisor, RiskLens, hundreds of your peers in cybersecurity and risk came to get answers to some burning questions.

How do I get more value from the NIST CSF Framework? How do I communicate about cyber risk to the business in business terms using FAIR™, the international standard model for cyber risk quantification? And how do I combine the two for maximum effect on risk management, as suggested by NIST in its recent inclusion of FAIR in the NIST CSF?

These were the top of mind questions that brought our biggest ever webinar registration list to hear from three experts on the subject of NIST CSF/FAIR integration:

Jack Freund, co-author with Jack Jones of the FAIR book, Measuring and Managing Information Risk, Risk Science Director at RiskLens, and advisor to NIST on the addition of FAIR to the CSF. 

Ian Amit, CISO at Cimpress (the international company best known in the US for Vistaprint) who has pioneered combining the CSF and FAIR to empower business unit owners to guide their own cyber risk management programs  

Steve Ward, Marketing VP at RiskLens, the cyber risk quantification platform that incorporates the FAIR model. RiskLens sponsored the webinar. 


Register to watch the webinar: “Combining NIST CSF and FAIR to Drive Better Cyber Risk Decisions”


In this webinar, you’ll learn: 

  • What’s the difference between the NIST framework and the FAIR standard model – and should you do them both?  The answer is definitely yes, they are complementary. “FAIR helps you focus on the activities (in the CSF) that matter most…that represent the most risk,” Steve said. 
  • How exactly FAIR maps to the CSF – Jack demonstrates the specific advice for the risk management and risk analysis sections of the framework that you can apply to your existing CSF-driven controls and processes. 
  • How to construct a CSF-FAIR program, based on the Cimpress approach. As Ian described it, “NIST CSF provided a tactical view of the basic defensive capabilities every business has. It’s a simple framework that a lot of people can quickly adapt and evaluate themselves with…. We use FAIR to quantify risk around loss scenarios for each of our businesses. We focus on business scenarios not technical ones and leave the hard work to us to find the technical scenarios.” Cimpress uses the RiskLens platform to run the numbers and “we end up with risk quantification that enables the business to take action” or decide if it is “comfortable with the level of loss expectancy.”
  • For organizations deep into NIST CSF, how to refocus on risk. Steve delivered a warning: “Blanket investment in people and process across all maturity categories is not addressing risk reduction.”  He laid out some steps, including identifying top risks and running “what-if” analysis (the type that the RiskLens platform enables) to assess if raising maturity levels would truly reduce risk. “FAIR gives us the construct for risk quantification,” Steve said, “but it does not enable a lot of the decision support capability. You need software and a program to do that…RiskLens can help you enterprise-enable FAIR.”


Register to watch the webinar: “Combining NIST CSF and FAIR to Drive Better Cyber Risk Decisions”


Learn more:

COSO ERM’s Cyber Risk Guidance Recommends FAIR

Gartner Endorses Risk Quantification as Critical to Integrated Risk Management

FAIR Institute Named One of 'Most Important Industry Organizations of the Last 30 Years' in 2019 SC Awards

 

Topics: FAIR, Risk Management

Luke Bader

Written by Luke Bader

Luke Bader is Director, Membership and Programs for FAIR Institute

Join the FAIR Community