Looking for a Quantitative Cyber Risk Specialist, a Risk Quantification Analyst or even a Senior Factor Analysis of Information Risk (FAIR) Analyst? It’s a sign of the rapid adoption of FAIR that organizations have recently been advertising for new hires with those titles, jobs dedicated full-time to a skill – cyber risk quantification – that a few years ago wasn’t even thought possible.
If you are looking to staff up a FAIR program, the good news is that the candidates pool is growing; attendance for the FAIR Analysis Fundamentals training course this, for instance, is already far outpacing last year (by the way, a new edition of the course debuts soon).
Read What Makes a Good Risk Analyst? to get grounded on the basic skills required (and they’re less technical than you may think):
- Strong critical thinking skills
- Understanding of basic probability
- Training in calibrated estimation
- Comfort with numbers
- Familiarity with Monte Carlo simulation
Now, here a few tips on how and where to find candidates:
Writing a job listing ad for a FAIR risk analyst
At a minimum, the ads ask for FAIR certification (administered by the Open Group). Some also give a preference for CISSP certification.
Required relevant experience may include time in cybersecurity red teams or IT audit or “strong background in applied risk measurement and metrics theory.” In addition to hands-on experience with FAIR, ads may ask for ISO and NIST framework knowledge. (For more on that, see How to Manage a Cybersecurity Program with NIST CSF and FAIR and look for a webinar on the topic coming soon from FAIR Institute technical partner RiskLens with Ian Amit from Cimpress.)
Employers are also looking for abilities to gather data for analysis, for instance, “identification of internal and external primary/second loss, threat event and susceptibility data/information.”
Of course, they ask for strong skills in risk quantification modeling (some mention specifically the RiskLens platform) and reporting but also knowledge of data governance, and development of risk appetite, as well as workflows for identifying risks and exceptions.
Since FAIR and risk quantification for cyber are still in the evangelizing stage at many companies, one striking feature of these ads is their emphasis on communication skills. Ads mention “building strong, collaborative partnerships with internal key risk partners” and “ability to influence horizontally and vertically across the organization/enterprise, to include among diverse audiences with varying degrees of technical understanding/expertise.” Specifically, some ads mention “train decision makers on calibrated probability assessments.”
Looking for FAIR analyst candidates
To start, go where the FAIR Institute members are:
- The job board on the Institute’s LINK site
- Local chapter meetings – also, each local chapter has a message board on LINK to get the word out
- The annual FAIR Conference – world’s largest gathering of cyber risk quantification fans
For entry level positions, try the placement offices at one of the 17 universities that now offer FAIR training.