Using the FAIR model, forward-thinking CISOs are applying quantitative financial analysis of cyber risk to the recommendations generated by the NIST Cybersecurity Framework. FAIR analysis shows how to prioritize among the recommended best practices in the CSF to maximize investment
Now NIST has given some important recognition to this trend by publishing a case study on its website documenting the combination of NIST CSF and FAIR at Cimpress, the parent company for multiple independent businesses, best known in the States for its Vistaprint unit. The CSF-FAIR combination is "highly measurable" and empowers "more informed decisions around managing risk," the case study concludes.
Read the case study: "Success Story: Cimpress-FAIR” on the NIST CSF website.
“By mapping to FAIR resistance factors [to the Framework], Cimpress can provide increased confidence that control/resistance strength is relevant and proportional to the loss scenarios,” says the case study.
“Additionally, as risk scenarios were evaluated, the risk management staff could more clearly see how investing in increasing maturity would impact the expected losses related to each scenario.
“That turned the process into a highly measurable one that can be more easily justified in terms of budget allocation and risk tolerance…
“Ongoing evaluation processes call for updating the maturity scores of the businesses over time. Those revised scores trigger updates to the FAIR models, which in turn provides a measurable risk-tolerance view for the businesses in financial terms.
"Additionally, the company’s businesses and corporate management have a better understanding of the impact of risks and can make more informed decisions around managing risk.”
The FAIR Institute is working closely with NIST to formalize the relationship between CSF and FAIR — expect more news on that going forward. There will also be a session at the 2019 FAIR Conference titled “Building a Cybersecurity Program with a Risk Management Framework & FAIR” with both Kevin Stine, Chief of the Applied Cybersecurity Division at NIST, and Ian Amit, CSO at Cimpress on the panel. Ian Amit also discussed the Cimpress case study in a webinar Combining NIST-CSF and FAIR: Quantifying Risk to Drive Better Decision Making hosted by the Institute’s technical advisor, RiskLens.