It’s an issue that comes up again and again at FAIR conferences, chapter meetings, webcasts or discussion boards: “I get the value of FAIR quantitative risk analysis – but I don’t know how or where I could start implementing it.”
The advice from experienced FAIR practitioners is consistent: After initial staff training, start with a small, contained project that can be completed quickly and that supports a current decision to be made. Experienced hands see the value of a starter project as two-fold:
- Educate the team on FAIR analysis and more broadly the FAIR mind-set.
- Prove to the rest of the organization—your future clients for risk analysis-- the value of FAIR
Educating the team
Jim Robert, Vice President for Enterprise Cybersecurity at Fidelity Investments, frames up the educational aspect this way:
“Start small and become comfortable with what you learn from it. Be OK that it won’t be perfect and just recognize that you are continuously learning about how to think about the data that goes into the FAIR model and how it informs risk.”
FAIR analysis actually compels you to start small, working your way up through the model to carefully define a scenario to analyze. As early FAIR adopter Tony Martin-Vegue, Director, Information Security Risk at Informatica, explains:
“FAIR teaches you mentally how to decompose the problem. If you’re looking at the risk of cyber criminals to the company, the typical reaction is ‘Wow, I don’t where to start’. But FAIR teaches you to decompose so you start small and start building out all the components that make up the risk.”
The bigger educational agenda, says Omar Khawaja, CISO at Highmark Health, “isn’t to use the FAIR methodology to deliver a particular risk assessment report. The goal is to create a culture that’s risk-based.”
Proving value to the organization
In this eBook, An Adoption Guide for FAIR, Jack Jones, creator of the FAIR model, writes that successful introduction of risk quantification to an organization must include executive sponsorship.
Jack writes “there are two primary considerations when selecting a starting point for adoption that has executive visibility: meaningful results, achieved quickly…
“Getting a quick win is important because a clock starts ticking as soon as you get the go-ahead. This clock represents a sort of ‘expiration date’ before interest and support begin to wane…Whatever you choose for an initial objective should be something you can confidently achieve relatively quickly.”
Jack suggests promising a time-frame of under 90 days to show speed but give yourself some leeway for project delays.
Seizing the opportunity: starter projects to try
FAIR practitioners often find early success by jumping in with a just-in-time analysis when a decision must be made.
Chris Porter, CISO, Fannie Mae told this story at the FAIR Breakfast during the last RSA Conference: The IT team was resistant to putting the effort into fixing a critical vulnerability in a crown jewel application that was close to retirement. Chris did a quick FAIR estimate showing the range of potential losses if the vulnerability were to be exploited—then asked the IT team if they would accept that risk. “They got it fixed in three days.”
Dave Wolf, CISO at HomeStreet Bank, worked up his first FAIR analysis when the executive committee was considering rolling out a product with a lot of uncertainty around possible losses.
“They had some questions--like ‘Where did you come up with these numbers?’--and I walked them through my thought process and assumptions and they were pleased with it. They said, 'So if we actually do get the point where we experience X number of losses then we’re going to shut down this project'.”
Beyond these analyses-of-opportunity Jack Jones lists several classic FAIR projects to consider as 90-day starters:
- Cost-benefit analysis of a major risk management investment, a single FAIR analysis of the effect of implementing a control, comparing costs to risk reduction
- Comparing risk management investments. Multiple analyses show relative cost-benefit analyses of various controls.
- Cleaning up a risk register, normalizing the entries around FAIR-style loss events to identify which are truly risks, then triaging them into high/medium/low categories.
- Identifying top risks, the next step after risk register clean-up; Jack warns that identifying all the top risks would probably run over 90 days.
- Pure risk reduction—promising stakeholders that within 90 days you will “use FAIR to identify practical means of driving $1M (or whatever amount) of loss exposure out of the organization’s risk landscape…If you’re going to use this approach, you need to be sure to do your homework so that you are absolutely confident in hitting a home run. If you nail it, though, support for further adoption would likely be assured.”
The FAIR Institute was named one of the Most Important Industry Organizations of the Last 30 Years at the 2019 SC Media Awards and The Wall Street Journal says that FAIR is "gaining traction" among the most forward-thinking organizations practicing risk management. Join us! FAIR Institute membership is free to risk management professionals and executives.
