Some of the most thoughtful FAIR practitioners we know are running the FAIR CRQ program at Equinix, a Fortune 500 tech company, and have created a model approach to program-building that any organization would do well to emulate. Here are some of the key steps Equinix took to set itself up to scale FAIR (and some links to dig into the details).
1. Set guiding principles and practices
We know that some successful FAIR program managers counsel to get some quick wins on the board with useful CRQ analyses. But before you are off to the races, take a deep breath and set some basic direction to ensure you move from a “project basis to a program basis,” as Zach Cossairt of Equinix said in a presentation to the 2023 FAIR Conference. They wrote 10 Guiding Principles of CRQ Program Development (see them all here), that include:
#1 Obtain executive sponsorship and maintain through the program
#5 Align program to organizational strategy and business outcomes
#10 View CRQM program development comprehensively, strategically and incrementally
The team created a North Star, a shorthand way to stay focused on a mutual goal:
“Improve the pace and quality of decision making across the organization”
Finally, they wrote a Program Charter that set out specific goals and responsibilities. Here is a model program charter (not the actual charter for Equinix).
Learn more about creating a charter in this FAIR Conference presentation:
Video: See BCP Bank’s Mission Statement and Project Plan for FAIR Program Launch
2. Solve for Cyber Risk Scenarios
Even if you are just starting out on your FAIR journey, you know that Factor Analysis of Information Risk is about analyzing scenarios that break down risk into component parts that can be quantified. But analyzing a scenario is much more than a step along the way – it is the basic building block of a FAIR program. Get scenario generation wrong and your program heads for dead ends.
As Raksha Shenoy (then at Equinix, now at Cloudfare) wrote in a blog post Identifying the Right Risk Scenarios to Measure with FAIR, scoping the scenario is critical: identifying the asset at risk, threat actors and the type of loss. She described how Equinix charts a loss flow diagram to visualize how the loss might materialize, including the relevant controls in place.
One benefit of careful scoping: Stakeholders who bring a risk scenario to the FAIR team often assume in a linear way that the threat actor is external, when scoping could “make it clear that an insider continuously making errors, when unresolved, is what opens the particular method to be exploited by an external actor,” Raksha wrote.
Scenario Sources: Top Down or Bottom Up?
Should you emphasize scenarios from a top-down perspective, that is, primarily in line with strategic imperatives? Or bottom up, that is, serving organizational needs? Advice from Equinix: Pick one but understand you will inevitably be servicing both.
3. Always be scaling
With a risk-scenario scoping practice in place, the program’s executive sponsor gave this direction on building a scenario repository: “Operationalize use cases so you can bring that value to the organization over and over again,” Zach said.
Caleb Juhnke (formely of Equinix, now with Elsevier) presented more tips on scale in a blog post 3 Quick Steps for FAIR Program Maturity:
>>Automate data collection: “A key part of FAIR development in your organization must be data independence,” through setting up a regular channel to receive in-house or industry standard data.
>>Template data intake: As your cyber risk analytics team grows, “also comes an increase in personalities, communication styles, and assumptions…Templating and defining required information fields used in the analyst’s rationale will create a consistency of analysis that allows for greater transparency and uniformity in reporting.”
>>Integrate risk analysis with decision-making. “It is essential to develop processes, and process hand-offs to bake quantitative analysis into operational, tactical, and strategic decision support.”
4. Consider the human factors
The Equinix team gave careful consideration to how they would introduce the new concepts of FAIR to maximize acceptance and minimize resistance in the organization and applied principles from organizational psychology. Read Zach Cossairt’s blog posts on Leveraging the Human Element for a Successful FAIR Risk Management program part 1 and part 2 for the full flavor. A few tips:
>>”Frequently expose stakeholders to the concept of effective risk management grounded in valid quantitative measurement to reduce their uncertainty and increase familiarity by removing novelty from the idea.”
>>”Concerns for the use of probabilities and loss range estimates will inevitably arise. When they do, it helps to explain the commonality of eliciting judgments of likelihood and impact regardless of the flavor of the risk management method.”
>>”Introduce multiple solutions with varying resource requirements, tangible costs, and technology demands…Be idealistic and highlight the optimal path you’d like your organization to take, regardless of whether you feel like it’s requesting too much. Even if the best option is considered to be out of the question, this can make the good enough solution seem relatively less threatening.”
More from Equinix FAIR experts:
Redefining ROSI in Risk Assessment: A Practical Guide for Risk Analysts by Caleb Stogner
What to Do After You Pitch Quantitative Risk Analysis by Caleb Juhnke
Learn more about FAIR program growth:
Case Study: Launching, Scaling a FAIR Program at Netflix
FAIR Use Case: Introducing Quantitative Risk Management at Fashion Group Richemont
