FAIR Institute Chairman and FAIR model creator Jack Jones started his keynote for the 2019 FAIR Conference at National Harbor, MD, with a question: “What’s the cost of a $5 million risk management program?” all in with salaries, services, technology, etc. Much more than you think, Jack pointed out.
In truth, the $5 million dollars just represent the "ledger sheet cost" of that program. The true (or economic) cost of the program would include the opportunity cost that is lost when those dollars are applied to the cyber risk management program instead of toward growing the business. It would also include the costs imposed upon the business through the many risk management related activities (e.g., patching, training, etc.) that non-risk management personnel in the business spend time on in support of the program. This fact makes it even more important for risk management programs to be cost-effective, which requires the ability to prioritize effectively and choose cost-effective solutions.
Risk management programs that rely on intuition and qualitative measurements add layers more in cost – for instance, in fire-drill remediation of "critical" vulnerabilities that aren't, in fact, critical. Besides being wasteful, poor prioritization also generates noise within organizations that increase the odds of leaving truly dangerous problems untreated, as resources are applied to less relevant conditions.
“We have a responsibility to help our organizations and industry manage risk as cost-effectively as possible,” Jack said, and quantitative analysis that yields results in financial terms (e.g., FAIR) should be the obvious solution.
But corporate culture and lack of knowledge about how to implement a FAIR program often stand in the way. So, Jack laid out a roadmap for reaching that cost-effective goal line. You can talk with stakeholders about the flaws in qualitative, red-yellow-green mapping of risks, Jack said, but “logic often isn’t enough. You have to demonstrate meaningful value at an acceptable cost.”
Jack showed a chart with the broad evolutionary steps of FAIR adoption:
(The “near-real-time risk landscape dashboard” is not a reality, he warned, though some vendors may claim it is. Jack suggested a read of his recent whitepaper: Understanding Cyber Risk Quantification: A Buyer's Guide.)
In the next chart, Jack explained the skills (personnel trained in FAIR that either are or aren't full-time risk analysts for the organization), data, and tools necessary to travel the roadmap -- the left column shows rising levels for each of the three categories, the circles show relative costs and the green checks a minimal level of readiness to start the journey.
“Every organization will need to define a roadmap that fits its risk management objectives and constraints,” and expect some tough going in the early days: “It will feel hard because you will spend more time with the data” but “it will get easier.” And in the end “as leaders in our profession, our ability to drive cost-efficacy into our programs will differentiate us from those who are driven by checklists and mental models.”