I like to think of organizational buy-in for a FAIR-based program as an interconnected web of incremental wins, with two key figures responsible:
To win the hearts and minds requires buy-in from the bottom of the organizational structure all the way to the top. Everyone has a role to play, however none more important than the risk practitioners.
It is of the utmost importance that the team of risk practitioners are completely and fully bought into the business objectives that a FAIR-based quantitative risk management program provides. Everything is built on the risk practitioner team providing analysis output that can be used to make risk-based decisions.
One person from that team needs to be the FAIR Champion. It is his or her duty to speak about FAIR in generalities and in detail to all levels of the organization. Champions have to be salesmen and saleswomen and be able to create excitement and momentum.
T
The good news is that this problem can be solved fairly easily. As the FAIR Champion, it is important to focus on the weak points of qualitative analysis. Remind the risk practitioners that FAIR is data-driven, and the model can hang its hat on defensibility. The risk practitioner will flash back to a time when a decision maker challenged a qualitative risk analysis and disregarded the results due to a lack of defensibility. The analysis process is loaded with personal experience and biases which means analysis baselines cannot be leveraged from one risk practitioner to the next.
Focus on the fact that FAIR utilizes data from subject matter experts from around the organization. This creates credibility by using their expertise to speak to specific data points relevant to the risk scenario. This also creates a sense of ownership between the subject matter experts and the risk practitioner because they know that their input is being used to make a decision.
One of the best ways to win over a team of risk practitioners is to have them participate in FAIR training. FAIR training is the perfect first step to align on using the FAIR terminology – we can’t have meaningful conversations on risk when we don’t even have risk defined. FAIR training also provides a forum for skeptics to ask questions and dive into the taxonomy and measurement concepts. Learn more about FAIR training.
The FAIR Executive Sponsor also serves another role, to determine the right time and place to socialize FAIR. They need to be ready to plant seeds throughout the organization’s leadership ranks. The goal is to drum up interest without pressuring a decision so early on in the adoption.
Ultimately, it is up to the Executive Sponsor to evangelize the benefits of FAIR analysis to leadership. FAIR provides something that any decision maker would love to have in a back pocket, a repeatable, defensible way to make risk informed decisions. When asking for funding they want to be able to defend their ask much like risk practitioners want to be able to defend the results to the decision maker. The value FAIR generates perpetuates from the risk practitioner to the board of directors.
The need for buy-in does not begin or end with the FAIR Champion and Champion, but extends throughout all levels of the organization. The board wants to know how much identified risk the organization is exposed to. Leaders want to make sure they are spending money the right way on the right things. The risk practitioners want to make their jobs easier while providing more value than with qualitative subjective results. It’s a win all around. It is the job of the FAIR Champion and Executive Sponsor to be the advocates of this winning message to turn the tides from qualitative to quantitative risk management.
For some first-hand experience in winning buy-in, see this blog post and video from the 2020 FAIR Conference: 5 Tips from CISOs on Making the Move to Quantitative Cyber Risk Management
Learn more: How You Can Become a FAIR Champion in 5 Steps
Author Ben Storm is a Risk Consultant for RiskLens