In a video interview just out on eWeek, titled “RSA Taking a FAIR Approach to Defining Cyber-Risk”, RSA Chief Technology Officer Zulfikar Ramzan discusses what he calls the “exciting” new direction for RSA Archer: “cyber risk economics and cyber risk quantification. We’re seeing it repeatedly: People are beginning to think about security in risk terms… What’s new is the degree to which this is being picked up by a lot of our customers.”
He adds that “some of our major customers have already adopted FAIR and risk quantification. It’s still early, but I think this is a nascent opportunity for us.” RSA Archer in fact, just introduced at the last RSA Conference a cyber risk module based on FAIR for its widely used GRC tool. The rollout event for the module was one of the best attended product events of the conference.
RSA’s alignment with FAIR is a major move forward toward popularizing risk-based thinking, and helping the industry adapt to a revolution in expectations from Boards of Directors on down. Poor visibility into the risk landscape based on ambiguous, qualitative, High-Medium-Low reporting is increasingly just not acceptable in risk reporting. What I think of as The Dark Ages of Cyber Risk Decision-Making is drawing to a close and RSA deserves credit for helping lead the way forward.
In another sign of change, Ramzan describes meeting with a group of CISOs who mostly use NIST CSF as their primary vehicle for developing security strategy but now “what they’re looking for is just a rigorous way to start thinking about cyber. Even from CSF, you can start to drive [quantitative] metrics, and use those metrics as part of how you report to your board, and that to me is very, very powerful.”
Nick Sanna is President and Secretary of the FAIR Institute and CEO of RiskLens