The FAIR Institute's Boston chapter is being revitalized under the leadership of two seasoned professionals: Abhishek Iyer, Manager of Risk and Compliance at CarGurus, and Megan Hewett, Security Risk Manager at HubSpot. I sat down with these risk quantification champions to learn about their journeys and vision for the future.
The Boston Chapter's first meeting of 2025 is scheduled for March 27 2025, and you can register here.
Megan Hewett and Abhishek Iyer
How They Discovered FAIR™: Different Paths, Shared Vision
The co-chairs discovered FAIR through different channels but were drawn to its practical approach to transforming risk management.
Megan's journey began about 18 months ago through a colleague's recommendation. "A coworker mentioned, 'maybe take a look at this framework, it might help us through our security risk management,'" she recalls. This simple suggestion led her to the FAIR Institute website, completion of the Fundamentals course, reading the foundational texts, and now preparation for Open FAIR certification.
Abhishek has been exploring FAIR for approximately three years, seeking solutions to a common challenge: "We talk about qualitative risk analysis a lot, and we have learned about quantitative risk analysis in school, but it was very difficult to put in practice," he explains. Through a mentor's LinkedIn activity, Abhishek discovered the FAIR Institute, becoming an active member and attending multiple FAIR Conferences.
Beyond Red, Orange, Yellow: The Limitations of Qualitative Analysis
Both leaders recognize the fundamental shortcomings of traditional approaches to risk assessment.
"We've leveraged your typical impact-likelihood risk heat map for years now," notes Megan, "but it's been challenging to know what are the right areas of focus, especially when multiple risks fall in the same quadrant."
This sentiment echoes a point frequently emphasized by Jack Jones, author of the FAIR model: Qualitative analysis creates ambiguity, for example, "How orange is this orange, and how red is this red? If it falls in the same area, that's a tough decision to make."
The Business Case for Quantification
The co-chairs highlighted several compelling advantages of the FAIR™ approach:
For Engineering Teams
"The biggest benefactors of doing this are going to be your engineering teams," Abhishek explains. "You want your engineering teams to do what they do best—build a product—and not spend too much time analyzing 'Is it a critical, high, medium, or low risk?'"
By providing clear, financially expressed priorities, security teams can build stronger partnerships with engineering. "Whenever you come to them with an actual issue, it is thought through thoroughly, has a cost associated with it, and this is why we have to do it," he adds.
For Executive Communication
"One of the challenges we've had at HubSpot historically is communicating the state of security and IT risk, especially to members of our C-suite and board of directors," Megan shares. "We don't want them to have to be subject matter experts on security to understand the risks posed to our business."
The solution? "Dollars and cents are the great equalizer and a common language that everyone understands."
For Investment Justification
Abhishek reflected on a recent dinner with CISOs where budget justification dominated the conversation: "It brought me back to my master's days in 2010, where that was still the key topic talked about at universities. So it's been 14 years, and we still have the same problem."
FAIR offers a pathway to resolve this persistent challenge by providing financial metrics for security investment decisions.
The Future: AI and Third-Party Risk
Looking ahead, Abhishek highlighted two significant trends where FAIR will play a crucial role:
1. AI Acceleration: "We are at a very interesting time with AI. We may not have had the right type of compute power before, but now with AI, we can calculate the FAIR formulas much more quickly. You don't have to be a probability expert or mathematician to understand this."
2. Third-Party Risk Management (TPRM): "Third-party risk is a huge point where we have to use FAIR to help organizations." This aligns with the FAIR Institute's focus, as they're developing new training materials on integrating FAIR with TPRM.
Building Community in Boston
The co-chairs are excited about fostering a learning community through the revitalized Boston chapter.
"That's why I'm really excited to be a co-chair," Megan emphasizes. "Attending FAIRCON and getting the opportunity to meet people who have done this at other organizations—I'm just so excited to learn from everyone, to understand what worked for them and also what hasn't."
Get Involved
The Boston chapter's first meeting is scheduled for March 27 2025, and you can register here.
For those interested in the broader FAIR community, FAIRCON25 will take place in New York City on November 4-5, 2025 (learn more and register at www.fairconference.org).
Whether you're a seasoned FAIR practitioner or curious about quantitative risk analysis, the Boston chapter welcomes your participation.
