The question often arises, “How is FAIR different from (or better than) a framework like NIST’s Cybersecurity Framework (CSF)?” The simple answer is: FAIR isn’t inherently better or worse; it is fundamentally different and, in fact, complementary.
Frameworks as lists of good practices
Frameworks like the NIST CSF (or PCI DSS, ISO 2700x, COBIT, etc.) are essentially lists of good practices.
"The Framework enables organizations – regardless of size, degree of cybersecurity risk, or cybersecurity sophistication – to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure." (Framework for Improving Critical Infrastructure Cybersecurity. NIST)
These frameworks also tend to set a lowest common denominator bar, meaning compliance doesn’t necessarily equate to “sufficient” risk management practices. The problem is, because checklist frameworks don’t assist in actually measuring risk, organizations are left to their own devices to evaluate whether compliance is sufficient. This is where FAIR comes in.
FAIR: an analytic model
FAIR is an analytic model that enables an organization to evaluate and measure the significance of gaps or the sufficiency of compliance so that it can make well-informed choices about where to apply its limited resources.
Digging deeper
Over the next several weeks, I’ll publish a series of blog posts that will seek to do several things:
Hopefully, although primarily focused on the CSF and FAIR, these posts will also provide a useful lens to view the broader landscape of risk management and information security frameworks and methods.
Stay tuned for Part 2.