A recurring question in the early stages of FAIR adoption is, “How do I get organizational buy-in for FAIR?” The short answer is: You communicate FAIR’s value proposition.
Put simply, as the champion for change inside your organization, you'll need to market the FAIR approach to risk management until you achieve an acceptable level of buy-in.
Let’s use a classic view of a marketing funnel to take a high-level walk-through of the journey to FAIR—from early awareness to the broad stages of advocacy — with some tips on how to smooth the way through each of these stages.
It all begins with an introduction (because your colleagues cannot buy-in to FAIR if they have never heard of it). Introduce FAIR to your organization by educating people on:
- What is FAIR: the internationally recognized model for measuring information and technology risk
- How it works: It decomposes risk into its constituent factors and captures their relationships
- Why it’s useful: the FAIR model enables risk to be measured so it can be effectively managed; also, it’s a methodology that provides a codified terminology, which brings clarity to communication about risk
Use the wealth of available resources from the FAIR Institute to help you on this mission.
Once they have been introduced and are aware of FAIR, then they can navigate to the next level.
This is the “getting to know” FAIR phase. Here, it’s important to nurture the familiarization process by providing information such as:
- High-level overview of the FAIR model (see FAIR on a Page)...key terms, such as risk, threat, asset...measurement concepts (probability, accuracy, distributions etc.), and scoping
- An Executive’s Guide to Cyber Risk Economics – FAIR creator Jack Jones gives a high level, non-technical introduction to FAIR for business use.
- Measuring and Managing Information Risk: a FAIR Approach – the FAIR bible, the most thorough introduction to FAIR theory and practice.
- FAIR Institute Blog – quick, substantive reads
Please note: the type of information shared should be commensurate with the level of involvement the individual and or teams are going to have with the FAIR analysis process. Inform, don’t overwhelm.
In the real estate world, when buyers start imagining placing their furniture in the potential home, that is a good sign. Similarly, when others start imagining how FAIR can enhance risk management by augmenting their risk analysis process and improving communication and reporting...then you are at a good point. Here are some exercises that can help advance the conversion process:
- Quantifying existing heat maps or perceived top risks
- Complementing your NIST CSF program by adding an economic dimension with FAIR
- Normalizing your risk register by ensuring entries represent loss events (i.e., events where tangible loss and or liability is expected –not simply control deficiencies or concerns)
During the above exercises, the current FAIR advocate needs to be available to answer questions or provide direction and support.
Here, a foundational understanding of FAIR has taken root. A manifestation of this level having been reached would be when someone has a difficult time viewing risk with an un-FAIR viewpoint. For example, it will be hard for the person to see qualitative risk ratings such as “high, medium, or low” without questioning what “high” means and how much rigor went into the analysis process that assigned that rating? Also, the phrases “You can’t manage what you haven’t clearly defined” or “You can’t manage what you haven’t measured” might be indicators of the FAIR loyalty-level.
At this point in the funnel, some of your co-workers may want to join you as a FAIR expert by taking the
online FAIR training course and trying some FAIR scenarios for themselves on the FAIR-U web training app.
FAIR advocates fully understand and promote FAIR’s value proposition. This optimal level of buy-in is home to a smaller section of your organization. An ideal organizational buy-in mixture will span the spectrum from analyst to executive. In particular, buy-in from executives ensures top-down support of quantitative risk management and helps level-set expectations for those involved in the FAIR analysis process.
See this video of risk management leaders from Walmart, Chevron and Hewlett Packard Enterprise discussing how they introduced FAIR to their companies, during a session at the 2017 FAIR Conference: