In our recent member survey, we asked “please rank the areas in which you would like to learn or sharpen your FAIR-related skills.” Taking a cue from the results, here is a short study guide covering the topics of most educational interest to the FAIR Institute membership.
1. FAIR Controls Analytics Model (FAIR-CAM)
FAIR creator Jack Jones introduced at the 2021 FAIR Conference this model for quantifying the effectiveness of controls, and it’s generating a lot of buzz and interest in the risk and security community. Several FAIR Institute teams are mapping FAIR-CAM to the leading cybersecurity controls frameworks and standards. Jack wrote an easy-to-follow explanation of the model in How Cyber Risk Management Is Like Buying a Bike for Your Daughter. FAIR Institute member Robert Immella also gave a presentation at FAIRCON21 on implementing the new model at KeyBank in Use Case for FAIR-CAM: Rapid Policy Exception Management.
--A Lot More to Read on FAIR-CAM
2. Socialize/Integrate FAIR
Ultimately, a FAIR program wins over an organization by showing clear value – but how to get to that point takes a combination of analytical and people skills. Here’s some advice based on solid experience: 5 Tips from CISOs on Making the Move to Quantitative Cyber Risk Management (FAIRCON2020 Video)
3. Source/Apply Data
From data collection to data quality control to combining and normalizing data from different sources, this topic always ranks at the top of the list for frustrations among cyber risk analysts. How to Find Data for Every One of the FAIR Factors – Wade Baker’s Talk at 2020 FAIR Conference (Video) thoroughly covers the hunt for data sources and Secrets to Gathering Good Data for a Risk Analysis gives tips on the human element – extracting data from subject matter experts. For a technique to speed analysis by better refining raw data, read A New Approach to Data for Faster FAIR Quantitative Risk Analysis.
4. Improve/Speed Risk Analysis
Successful FAIR program managers will tell you that the speed and quality come from carefully setting up the right processes. How Long Does It Take to Launch a FAIR Program? shows the way to structure a program based on results that best fit the needs of your organization. 5 Habits for Highly Effective Risk Analysis is about completing risk analysis tasks with “a lot more clarity,” to achieve actionable results for stakeholders.
5. Report to C-Suite or Board
Reporting on risk to the business leaders in financial, not technical terms – it’s one of the key benefits of FAIR adoption. Highmark Health CISO Omar Khawaja breaks down an effective board presentation: FAIRCON18 Video: A Master Class on Reporting Cyber Risk to the Board and Jack Jones and enterprise risk management authority (and Institute board member) James Lam collaborated to list all the metrics that leaders want to see: Get the Right Cybersecurity Reports.
6. Comply with Standards or Framework
FAIR works with all the standards and frameworks for cyber and technology risk and brings the discipline of financial analysis to what otherwise could a checklist exercise in compliance. Here’s a sampler:
>>NIST Maps FAIR to the CSF - Big Step Forward in Acceptance of Cyber Risk Quantification
>>FAIR Institute and HITRUST Plan Integration of FAIR Standard and HITRUST CSF
>>COSO ERM’s Cyber Risk Guidance Recommends FAIR™
>>How FAIR & ISO 27001 Work Together
>>3 Steps to Combine MITRE ATT&CK and FAIR to Focus Cyber Risk Management