Michael Meis, Co-Chair of the Kansas City Chapter of the FAIR Institute and Associate CISO for the University of Kansas Health System, first heard Jack Jones speak at the 2020 RSA Conference and “it was like a lightbulb going off for me” – an answer to a challenge he had not been able to solve at his previous job at H&R Block, namely proving risk reduction for cybersecurity initiatives. “I was fanboying over Jack,” he says, realizing how many problems FAIR solves.
Michael is now five weeks into introducing FAIR in his new role, and shares these insights about successful FAIR programs:
- The business wants two questions answered, “How much risk are we carrying and are we doing enough to mitigate it?” FAIR answers for cyber risk in the same financial terms the rest of the business communicates with.
- Two main strategies work best for implementing a FAIR program. First, understand where the pain points lie in current risk management, and apply FAIR there. Second, meet people where they are in their understanding of risk. “It’s tempting to throw the whole (FAIR) book at them and say, ‘This is how we’ve got to do it’” but that can lead to resistance. “If they’re married to colors, put quantitative ranges on colors” and advance from there. “Expect a two- to three-year journey”.
Watch my conversation with Michael for more insights: