The FAIR Institute (and risk quantification) flag goes up on another continent with the first FAIR chapter meeting in Australia, in Melbourne, March 8, chaired by Jason Ha, Director of the Digital Trust Risk Assurance Practice in the Australia division of PwC, the global assurance and consulting firm with a strong presence in information risk management and cybersecurity.
About a year and half ago, Jason and three team-mates took the Open FAIR online course (“at one or two in the morning Australia time”), were certified, and have since trained more than a dozen PwC staffers, who are providing awareness and education for FAIR to the local market.
Jason is an infosecurity vet who’s worked “from hands-on implementation of solutions to designing and consulting to selling to developing services and risk advisory work. I’ve done the full gamut, which is why I’m quite passionate about FAIR because, for the first time, there’s a model that genuinely helps people understand information and cyber risk and make the right decisions, instead of implementing controls just for the sake of it.”
Q: How did you get interested in FAIR?
A: What we saw in the industry was a very big disconnect between risk professionals, who understand enterprise risk quite well but don’t necessarily have the depth of knowledge in information / cyber risk, and personnel in information security teams who are technically proficient but don’t necessarily have a strong background in risk management.
The messaging would always come back in the same few ways. One was “Our security people have presented the organization’s cyber risk but we are still struggling to really make sense of it.” Or “We’ve invested a lot into information security, but we aren’t sure whether we’ve done enough and there isn’t any information to help us understand this.” And number three was “We think cyber risk is really important so we put an entry in our corporate risk register but we don’t really have much detail beyond that.”
"We could see there was a need not just to help bring a collective understanding of how to properly structure information / cyber risks but to understand the impact of them in a consistent and business-oriented way."
We realized quite quickly that a lot of the qualitative models that were being used were just not workable. So, we searched for an actual quantitative solution and that’s when we came across FAIR – it was robust, well developed and supported by a strong community. In some ways, it appeared to be the “de facto standard”.
Q: What was your experience introducing FAIR to your clients?
A: Well, the initial feedback was profound. One was a financial services organization, where they were having issues with justifying some of their information security investment. After we put things through the FAIR model, the CEO said, “Why didn’t someone just give this to me at the start? I would have approved this 12 months ago.”
"Over the last two years, we’ve invested quite a significant amount in education and awareness at client focused and industry based sessions. The goal was to help them understand there is another way to approach information / cyber risk and manage it more pragmatically."
At the end of last year in Melbourne, we ran a Cyber Risk Master Class to bring the concepts of FAIR to a hands-on practical level. We invited clients in and grouped them by different risk scenarios they were interested in, such as ransomware or privileged insider. We created workbooks with use cases and then were able to effectively walk them through how to apply FAIR to different scenarios and demonstrated the benefits of a quantitative output. For many, it was quite different from what they were used to seeing from a qualitative model. The feedback from clients was very positive.
Q: Any tips you can share on introducing FAIR to others?
A: What we found works for us is, without watering down the FAIR model too much, you introduce it in different layers. For organizations that are quite new to the concept of FAIR, going in with the full FAIR model and walking them through it tends to overwhelm them.
"We basically try to abstract the concepts of FAIR to a much higher level so conceptually it is easy to digest. If we need to, we step into a further level of detail which would involve using the full model. We found this two-stage model to be a lot more effective than trying to educate on the full ins and outs of FAIR on the first go."
Another key thing we learned is you need to gauge the level of pain they are in as it relates to wanting to truly understand and manage their information / cyber risk. Organizations that have either been given a directive from their board, had some of the risks manifest into actual incidents or are struggling to effectively manage information / cyber risk are more receptive to other models instead of traditional qualitative models.
It’s also important to understand the scope of what they are trying to achieve. Sometimes it might be something tactical such as someone on the board has asked for the impact of an area of concern such as ransomware. At other times, the organization is wanting to do a complete overhaul of how they look at information / cyber risk because of issues they’ve had with their existing risk management model.
Finally, where the stakeholder fits in the “three lines of defense” model is important. People we work with in second and third line of defense typically understand risk management and assurance concepts better and as such, coming to terms with a new model like FAIR is easier. With people in first line, using FAIR as a model of framing the type of data they have access to in order to develop or perform further analysis of the risk scenario is a better approach. In short, you need to tune the way you apply FAIR to different stakeholders so they can understand it and see the benefit of it.
Q: Any interesting case studies you can tell us about?
A: We’ve done a lot of workshopping on complicated and interlinked risk scenarios, that typically involves a shared service provider servicing multiple, different types of clients and what some of the risk aspects are in terms of individual and shared risks, and what are the impact of controls in that type of environment. We used FAIR to bring objectivity and a degree of consistency so everybody arrived at the same point, after starting with their own internal likelihood-and-impact matrixes,
Q: What are your interests outside work?
A: I’m quite interested in martial arts. There’s a degree of science that goes behind the type of martial arts that I study [Wing Chun Kung Fu] in terms of how it works as a form of a system.
"I’ve always been interested in systematic approaches to things. I take those principles from martial arts and apply them to what I do – that aligns with FAIR really well."
In martial arts, the main reason you train is to develop a system to support you in having the right structure in place and the muscle memory to apply it when you need it in the most appropriate way. You can’t afford to just "wing it".
It’s the same thing when you do risk work. You have a good system in place, that you’ve grounded yourself in, and can apply that system to a number of different circumstances. You interpret the scenario you’re working with, understand the people you are engaging with, and apply the system in order to get the best outcome for everyone.
So that’s the interest I have at a personal level and I try to apply it both ways.
Learn more about FAIR Institute events and activities, including the upcoming FAIR Conference 2018.