Minnesota State Government Launches Ambitious FAIR Cyber Risk Management Program
Chris Luhman, a security leader at Minnesota IT Services (MNIT), the state government’s centralized IT services team, first read the FAIR book eight years ago, but like many patient FAIR pioneers, waited till his agency had matured to some familiarity with risk quantification (with NIST-based scoring).
Last year, MNIT went full force with an ambitious launch – introducing FAIR CRQ to 20 state agencies, with a vendor doing the work “so we could see the best-case scenario.”
The team chose those 20 agencies “because it was a mix of different sizes, different criticality of the services that MNIT was providing, and different levels of IT support…It was ambitious but we were doing managed service with the vendor at that point so we felt like it would be a good test.”
In the past six months, the team has been onboarding the FAIR analytics tool and transitioning responsibility to owners of the FAIR program in each agency, with a “train the trainers” approach.
Value of a Common Risk Vocabulary
“Now we are making sure we have a common vocabulary,so we can have the same understanding (and) when we say the word, ‘risk,’ we are on the same page,” Chris said.
“One of the things I really like about FAIR is being able to describe cybersecurity terms concretely with financials instead of high/moderate/low. What ‘high’ means to me is maybe not what ‘high’ means to you, and that’s proven to be a challenge over the years.”
Along with the rollout, MNIT launched a “community of practice” for FAIR practitioners to meet once a month to share knowledge and results.
The Data Challenge
As in many FAIR program launches, finding data for analysis was a problem, particularly on the financial impact side of the model. “Not all partner agencies we worked with had thought about things in that way. We had to make friends with the business continuity folks at different agencies and teach them what we were trying to do…They got excited about it very quickly” because they could see the value for their agencies.
Positive Response from Leadership
“I especially find that the business leaders really enjoy security saying, ‘this is a $1 million risk and maybe if we implement this control, we can bring this risk down by one half.’ Our business leaders are used to having a conversation based on financial success, so that's a huge advantage.”
Analyses by the MNIT team have already supported business decisions, for example showing that a web application firewall would reduce loss exposure by ten times its cost – and implementing multi-factor authentication on the 365 environment could reduce loss exposure by half.
Long-term, Luhman hopes to achieve cost savings by reducing staff workload to run risk assessments with automation and APIs for data input.
Learn more about launching and running a FAIR quantitative cyber risk management program - attend the 2024 FAIR Conference, October 1-2 in Washington, DC.