Looking for a Quantitative Cyber Risk Specialist, a Risk Quantification Analyst or even a Senior Factor Analysis of Information Risk (FAIR™) Analyst? It’s a sign of the rapid adoption of FAIR that organizations have recently been advertising for new hires with those titles, jobs dedicated full-time to a skill – cyber risk quantification – that a few years ago wasn’t even thought possible.
Find FAIR quantitative risk analysts and risk managers through the FAIR Institute job board. A free FAIR Institute membership is required to access, along with registration on the LINK FAIR Institute community website.
If you are looking to staff up a FAIR program, the good news is that the candidates pool is growing:
- More than 1,100 have achieved Open FAIR Certification from the Open Group, the standards body that maintains FAIR.
- More than 3,000 have been trained in the FAIR Analysis Fundamentals course by RiskLens Academy, accredited by the Open Group for FAIR training. Speak to a FAIR training expert to learn more.
- More than 12,500 have joined the FAIR Institute as members (Sign up for membership now.)
Read What Makes a Good Risk Analyst? to get grounded on the basic skills required (and they’re less technical than you may think):
- Strong critical thinking skills
- Understanding of basic probability
- Training in calibrated estimation
- Comfort with numbers
- Familiarity with Monte Carlo simulation
How to Write a Job Description for a FAIR Quantitative Cyber Risk Analyst
Ads often ask for FAIR certification (administered by the Open Group) and/or other certifications such a CISSP.
In addition to hands-on experience with FAIR, ads may ask for knowledge of standards, frameworks and regulations, such as NIST CSF, ISO, PCI.
Employers are also looking for abilities to gather data for analysis, for instance, “identification of internal and external primary/second loss, threat event and susceptibility data/information.”
Of course, they ask for strong skills in risk quantification modeling (some mention specifically the RiskLens platform) and reporting but also knowledge of data governance, GRC applications, and development of risk appetite, as well as workflows for identifying risks and policy exceptions.
Since FAIR and risk quantification for cyber are still in the evangelizing stage at many companies, one striking feature of these ads is an emphasis on communication skills. Ads mention “building strong, collaborative partnerships with internal key risk partners” and “ability to influence horizontally and vertically across the organization/enterprise, to include among diverse audiences with varying degrees of technical understanding/expertise.” Specifically, some ads mention “train decision makers on calibrated probability assessments.”
A Sample Risk Analyst Job Description
Here are some of the responsibilities listed in a recent posting titled, “Quantitative Risk Analyst – FAIR” from data infrastructure company Equinix:
- Perform triage and detailed FAIR risk analysis using the RiskLens platform to effectively scope and analyze loss event scenarios at scale
- Apply internal and external data as well as calibrated estimation techniques to support FAIR analysis
- Evaluate risks and use strong knowledge of control categories and their effect on loss exposure to make informed recommendations for risk mitigation strategies to the business
- Interpret analysis results and effectively communicate their meaning to decision-makers and other invested stakeholders
- Build and help manage the organization’s risk registers to monitor risks and track their mitigation activities with the associated risk owners
- Help define KPIs and KRIs to be actively used in decision making
- Work with the RiskLens team to monitor and regularly update loss tables and data helpers within the RiskLens platform to support efficiency and consistency of risk analyses
- Coordinate data-gathering initiatives to improve measurement precision
- Socialize the FAIR risk quantification program and promote its adoption among internal stakeholders and Leadership
Where to Find FAIR Analyst Job Candidates
To start, go where the FAIR Institute members are:
- The job board on the Institute’s LINK site
- Local FAIR Institute chapter meetings – also, each local chapter has a message board on LINK to get the word out
- The annual FAIR Conference – world’s largest gathering of cyber risk quantification fans
- For entry level positions, try the placement offices at one of the 22 universities that now offer FAIR training.
Join the FAIR movement – Join the FAIR Institute, learn the latest techniques in advanced risk management with risk quantification. Membership is free to qualified security, risk and business professionals.