Meet Adham Etoom, National Cyber Security Center of Jordan, Learn Cyber Risk Quantification, at the Mar. 20 FAIR Inst. Middle East Summit
Adham Etoom co-chairs the new Jordan chapter of the FAIR Institute, based in Amman, the latest outpost of the worldwide movement in support of Factor Analysis of Information Risk (FAIR™).
Meet Adham at the FAIR Institute’s Middle East and Africa Summit, on March 20, 2023, in Jordan at the Kempinski Hotel Ishtar Dead Sea, Swaimeh, Amman. Learn how cybersecurity leaders are applying cyber risk quantification to the risk and security issues of your region.
Adham recently joined the Board of Advisors of the FAIR Institute, in addition to his day job as Head of Policy and Compliance, National Cyber Security Center of Jordan. He’s also a member of the Information and Technology Risk Advisory Board at ISACA.
Adham’s co-chair for the Jordan chapter is Mohamed Abdul Rahim, Managing Director, Octopiand Security, also a Board of Advisors member.
I recently caught up with Adham to learn about his FAIR journey.
How did you first hear about FAIR and the FAIR Institute?
I first learned about FAIR in 2018 through my preparation for CRISC certification exam. I had been leading an information security program and we were looking for a better way to prioritize risks after conducting qualitative risk assessments. We realized that a lot of the qualitative models that were being used were just not offering a way to differentiate between two high risks of different categories.
Until I came across the FAIR model, I was looking for an approach to make risk comparison make sense to enable well-informed decisions for top management. I researched the FAIR standard further and realized that such a scientific model was not just another vendor-specific tool for risk management to label ‘risk’ and drive blindly. At this point I truly realized the significant value of FAIR.
What benefits has quantification brought to the way you see risk managed?
I believe there are several benefits to using the FAIR model, such as being a holistic analytics model that can be applied across cybersecurity, operational, and technology risks. FAIR is a complement to risk management and control frameworks such as NIST CSF, ISO 31000, ISO 27000, CIS, COSO, etc.
FAIR supports true Value-at-Risk (VaR) like what is being done in financial analysis of risk. The FAIR model offers a great tool for reliable and defensible decision support by visualizing risks' impact in dollars with a range of probabilities. The FAIR model provides a great way to dissect risk into several components so no risk component is overlooked.
Read a blog post by Adham Etoom: Tips to Prepare for the Open FAIR™ Certification Exam
The FAIR approach provides a tremendous amount of value to leadership or boards because the result can be interpreted as a range of probable outcomes for loss exposure to support informed decision-making by the organization. Hence, FAIR analysis results enable leadership to prepare for the worst-case scenario and be ready for it ahead of time, regardless of what type of crisis it is or whom it will affect. Planning for various scenarios can help to be ready to act when needed.
Once you have quantified risk, a crucial next step is to communicate those results to stakeholders. What are some tips that you would give to our members about effectively communicating risk to leadership?
Focus on two questions that have to be answered to make effective communication to the board:
“How much risk are we carrying?” and “Are we doing enough to mitigate it?”
If we do so by communicating these answers to leadership as a range of probable outcomes for the top five to ten risks in financial terms, we are enabling the leadership to make well-informed decisions.
Quantification is an important part of solving uncertainty in an enterprise risk management program. What are you seeing as some other key issues facing the risk management profession where quantification can help?
Effective communication and risk prioritization to maximize ROI are two issues that I believe where quantification has done a great job to make them practically achievable. Thus, quantification can easily bridge the gap between IT, cybersecurity and business by having common language everyone can understand across the enterprise.
So, within the FAIR Institute, you’ve been a rather involved member over the past couple of years. You want to talk a little bit about your involvement with the FAIR Institute, and how you’ve seen it grow in the past three years and where you see it going?
The FAIR Institute itself has well-rounded founders and experts and provides excellent educational resources about the FAIR model. The membership base has increased dramatically, and its observable that many people and organizations are adopting the FAIR model as part of their decision support tools.
As we are true believers of the FAIR model, we established the FAIR Jordan Chapter in 2022, and delivered several workshops and training courses for prominent universities and organizations in Jordan and we are holding quarterly meetings throughout the year to keep educating people about the benefits that FAIR provides with practical use cases from various industries. And recently, I joined the advisory board for the FAIR Institute which makes a greater sense for me to be part of such a great group of founders and experts who can advance and enhance risk management practices worldwide.