The FAIR Institute and the Global Resilience Federation (GRF)--a non-profit hub for industry groups and government to share intelligence on cyber and physical threats and vulnerabilities --recently formed a strategic partnership that includes providing discounted FAIR training to GRF members through the RiskLens Academy.
GRF members include government-proposed Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs) for the financial services, oil and gas, energy, legal, retail, health, and state and local government sectors.
GRF President Cindy Donaldson is a cybersecurity veteran. Her first job out of business school in the 1990s was building several information security programs for the FDIC in the areas of access control, security awareness training, and encryption. Along the way she founded the Phoenix chapter of Information
Systems Security Association (ISSA) and co-authored PCI DSS v2.0. She joined the Financial Services Information Sharing and Analysis Center (FS-ISAC) in 2014. After one week on the job, she was asked to take on the initiative to establish the Retail ISAC, then the Legal Services Information Sharing and Analysis Organization, before going on to support the Oil and Natural Gas ISAC. In 2017, the FS-ISAC spun off her division, creating GRF as a non-profit hub that supports individual sectors and facilitates cross-sector collaboration.
Q: What services does GRF provide?
A: We provide information and intelligence to our eight member communities, and we facilitate information sharing and collaboration. For example, for oil and gas, we provide dedicated security analysts and full scale operations support. For financial services, GRF analysts deliver physical and geopolitical analysis. In general, our job is to protect our members from cybersecurity and physical threats, inform them about vulnerabilities within industry systems, and make sure the data they receive from us is timely and actionable.
Q: What are your information sources?
A: We receive information from government, private vendors, sharing community partners, and from members. What’s great is that members can share information about a threat or vulnerability anonymously, if they choose. They are in control of how the intelligence is handled based on how they classify the information. We are always working to advance information exchange that could help our members defend themselves, but we are also extremely careful about protecting the reputation and security of members as well.
Q: What kind of information is being shared?
A: I can’t speak specifically on any of the communities or threats we see but what is typical of any information sharing community are phishing emails, instances of ransomware, IP addresses, filenames, and vulnerabilities that get exploited. Then we work closely with the member or even pull in pertinent vendors that we have relationships with. We also do some of our own analysis as well. We take the information we get and we enrich it as much as possible to improve quality or content that will help its relevancy and actionability with the membership. The majority of our products focus on threats and vulnerabilities but we also help with incident response and media response, basically whatever we can do to support members and help arm them and their industry against these adversaries and their impact.
Q: What is the GRF’s interest in FAIR?
A: We’re always looking to provide value to our members and constantly evaluate new opportunities that could be beneficial to them. Having been in the cybersecurity field for a long time and seen all the challenges that those departments face, as far as getting a seat at the board meeting, getting funding to put in place the appropriate controls and minimize risk -- we’ve rarely been able to prove what we prevented from happening. That’s just been a challenge in the industry. So, I was personally excited to learn more about FAIR Institute and the training it can provide to help quantify risk. I took the training, we talked with some members for their reaction, then we set up this partnership so our members would be able to receive a discount on the training.
Q: What would be the appeal of FAIR to your members?
A: It’s one of the few options out there that can help our members utilize budget they have more efficiently. Also, as they’re doing their planning and evaluating their risk posture it could help them make more educated decisions on budget allocation and what the priorities are for their particular organization. We’ve definitely received a positive response and there’s a great deal of interest in the methodology.
The FAIR Institute welcomes the partnership with the Global Resilience Federation and the threat intelligence community. Threat intel plays a major role in FAIR analysis, supplying data particularly for frequency of probable loss events, the "left side" of the FAIR model. FAIR risk analysts and threat and vulnerability analysts share a passion for more accurate data, delivered faster. Learn more about partnership opportunities with the FAIR Institute.