The advice from experienced FAIR practitioners is consistent: After initial staff training, start with a small, contained project that can be completed quickly and that supports a current decision to be made. Experienced hands see the value of a starter project as two-fold:
Jim Robert, Vice President for Enterprise Cybersecurity at Fidelity Investments, frames up the educational aspect this way:
“Start small and become comfortable with what you learn from it. Be OK that it won’t be perfect and just recognize that you are continuously learning about how to think about the data that goes into the FAIR model and how it informs risk.”
FAIR analysis actually compels you to start small, working your way up through the model to carefully define a scenario to analyze. As early FAIR adopter Tony Martin-Vegue, Director, Information Security Risk at Informatica, explains:
“FAIR teaches you mentally how to decompose the problem. If you’re looking at the risk of cyber criminals to the company, the typical reaction is ‘Wow, I don’t where to start’. But FAIR teaches you to decompose so you start small and start building out all the components that make up the risk.”
The bigger educational agenda, says Omar Khawaja, CISO at Highmark Health, “isn’t to use the FAIR methodology to deliver a particular risk assessment report. The goal is to create a culture that’s risk-based.”
In this eBook, An Adoption Guide for FAIR, Jack Jones, creator of the FAIR model, writes that successful introduction of risk quantification to an organization must include executive sponsorship.
Jack writes “there are two primary considerations when selecting a starting point for adoption that has executive visibility: meaningful results, achieved quickly…
“Getting a quick win is important because a clock starts ticking as soon as you get the go-ahead. This clock represents a sort of ‘expiration date’ before interest and support begin to wane…Whatever you choose for an initial objective should be something you can confidently achieve relatively quickly.”
Jack suggests promising a time-frame of under 90 days to show speed but give yourself some leeway for project delays.
FAIR practitioners often find early success by jumping in with a just-in-time analysis when a decision must be made.
Chris Porter, CISO, Fannie Mae told this story at the FAIR Breakfast during the last RSA Conference: The IT team was resistant to putting the effort into fixing a critical vulnerability in a crown jewel application that was close to retirement. Chris did a quick FAIR estimate showing the range of potential losses if the vulnerability were to be exploited—then asked the IT team if they would accept that risk. “They got it fixed in three days.”
Dave Wolf, CISO at HomeStreet Bank, worked up his first FAIR analysis when the executive committee was considering rolling out a product with a lot of uncertainty around possible losses.
“They had some questions--like ‘Where did you come up with these numbers?’--and I walked them through my thought process and assumptions and they were pleased with it. They said, 'So if we actually do get the point where we experience X number of losses then we’re going to shut down this project'.”
Beyond these analyses-of-opportunity Jack Jones lists several classic FAIR projects to consider as 90-day starters:
The FAIR Institute was named one of the Most Important Industry Organizations of the Last 30 Years at the 2019 SC Media Awards and The Wall Street Journal says that FAIR is "gaining traction" among the most forward-thinking organizations practicing risk management. Join us! FAIR Institute membership is free to risk management professionals and executives.