Implementing the FAIR standard requires more effort than procuring a tool, such as slamming a shiny new firewall into an organization’s environment. FAIR requires a culture change. FAIR translates cyber and operational risk into business terms. We need to change the way we think about analyzing and managing risk and even how we define it. This requires training, practice, and patience. The implementation and adoption of the FAIR standard needs to be thoughtful and strategic.
I like to think of organizational buy-in for a FAIR-based program as an interconnected web of incremental wins, with two key figures responsible:
The FAIR Champion
To win the hearts and minds requires buy-in from the bottom of the organizational structure all the way to the top. Everyone has a role to play, however none more important than the risk practitioners.
It is of the utmost importance that the team of risk practitioners are completely and fully bought into the business objectives that a FAIR-based quantitative risk management program provides. Everything is built on the risk practitioner team providing analysis output that can be used to make risk-based decisions.
One person from that team needs to be the FAIR Champion. It is his or her duty to speak about FAIR in generalities and in detail to all levels of the organization. Champions have to be salesmen and saleswomen and be able to create excitement and momentum.
They must also be prepared to face resistance when socializing the benefits that a FAIR-based quantitative risk management program brings. A risk practitioner who has been using a qualitative measurement method for the last decade might not see the merit in buying-in to a FAIR-based approach. People have made careers measuring risk qualitatively, so why would they change now?
The good news is that this problem can be solved fairly easily. As the FAIR Champion, it is important to focus on the weak points of qualitative analysis. Remind the risk practitioners that FAIR is data-driven, and the model can hang its hat on defensibility. The risk practitioner will flash back to a time when a decision maker challenged a qualitative risk analysis and disregarded the results due to a lack of defensibility. The analysis process is loaded with personal experience and biases which means analysis baselines cannot be leveraged from one risk practitioner to the next.
Focus on the fact that FAIR utilizes data from subject matter experts from around the organization. This creates credibility by using their expertise to speak to specific data points relevant to the risk scenario. This also creates a sense of ownership between the subject matter experts and the risk practitioner because they know that their input is being used to make a decision.
One of the best ways to win over a team of risk practitioners is to have them participate in FAIR training. FAIR training is the perfect first step to align on using the FAIR terminology – we can’t have meaningful conversations on risk when we don’t even have risk defined. FAIR training also provides a forum for skeptics to ask questions and dive into the taxonomy and measurement concepts. Learn more about FAIR training.
The Executive Sponsor
The FAIR Executive Sponsor also serves another role, to determine the right time and place to socialize FAIR. They need to be ready to plant seeds throughout the organization’s leadership ranks. The goal is to drum up interest without pressuring a decision so early on in the adoption.
It can be as simple as sending a case study to an executive or a peer that shows how quickly a triage can be analyzed or how FAIR results are translated into business terms, linking to a FAIR Institute blog post about reporting top risks to the board or showing an internal auditor an article on using FAIR for compliance. The possibilities are endless as long as the objective remains the same: to show the potential stakeholders why FAIR is revolutionizing the industry and to keep interest is growing throughout the leadership ranks.
Ultimately, it is up to the Executive Sponsor to evangelize the benefits of FAIR analysis to leadership. FAIR provides something that any decision maker would love to have in a back pocket, a repeatable, defensible way to make risk informed decisions. When asking for funding they want to be able to defend their ask much like risk practitioners want to be able to defend the results to the decision maker. The value FAIR generates perpetuates from the risk practitioner to the board of directors.
The need for buy-in does not begin or end with the FAIR Champion and Champion, but extends throughout all levels of the organization. The board wants to know how much identified risk the organization is exposed to. Leaders want to make sure they are spending money the right way on the right things. The risk practitioners want to make their jobs easier while providing more value than with qualitative subjective results. It’s a win all around. It is the job of the FAIR Champion and Executive Sponsor to be the advocates of this winning message to turn the tides from qualitative to quantitative risk management.
For some first-hand experience in winning buy-in, see this blog post and video from the 2020 FAIR Conference: 5 Tips from CISOs on Making the Move to Quantitative Cyber Risk Management
Learn more: How You Can Become a FAIR Champion in 5 Steps
Author Ben Storm is a Risk Consultant for RiskLens