Three Critical Skills Used by FAIR Risk Analysts

secrets-gathering-good-data-risk-analysis2Do you have what it takes to be a successful FAIR analyst?

One might assume that having the OpenFAIR certification or even technical experience would be top on the list. However, I’ve come to realize that there are three key talents in providing value to a risk assessment. 

Before I break this down, there are a couple of things to keep in mind. The first is understanding of the FAIR taxonomy is a must.  Another is the greatest value of a FAIR analyst is during the scoping and data gathering phase.  With those two items in mind, let’s start with: 

This post first appeared on the blog of Evolver where author Ed Peck is a cybersecurity consultant. Evolver runs large scale security operations centers for government and financial organizations and provides full cyber assessment and technology services for corporations, including FAIR risk analysis.  

“Be able to start a discussion.”

Getting a room of subject matter experts together and having everyone stare at you to start talking can be rather uncomfortable, and if we’re being honest, unproductive.  The experts are there because they know the company/process/technology/data better than anyone.  They are the experts! 

Sometimes asking open ended questions can get the ideas flowing. Other times, especially with the FAIR skeptics or those who are generally uncooperative, it’s often throwing a number out there for discussion. 

Here’s a tip though, don’t take the laughing or criticism personally. We want the input from everyone in that room.  When you hear, “No way” or “Not even close”, challenge them back by asking, “What do you think it is?”  Encourage debate amongst the attendees because this is a great way to get to consensus and accuracy.  But one must be mindful of the second talent: 

“Don’t let the conversation get off track.”

 Here’s where scoping is so important.  Whenever you hear, “well this could happen” or “I mean it’s possible that…” alarm bells should be ringing in your head.  To help combat this, I refer to a simple trick that was taught to me for these situations.  Write the scoping statement in large letters somewhere in the room.  Use a whiteboard, paper taped to a wall, projector screen, something, ANYTHING.  This is a good reference point to bring the room back from whatever rabbit hole they are chasing down.  I also found it very helpful to have a list of assumptions handy to focus the discussion and gaining accurate data.  Speaking of data accuracy: 

“Play Devil’s Advocate.”

I found it extremely helpful to provide pushback on numbers the subject matter experts provide.  This provides a two-fold benefit (I know, another numbered list *grrrr*). 

First, confidence.  If the experts can state with certainty and conviction their final answer, management will be more readily accepting of the final outcome. 

Second, sometimes these experts are too close to situation.  Everyone thinks their company/department/office is supremely important and critical in the defense of democracy in the free world (okay, I got a little carried away there), but when I start my statement of, “from an outsider’s perspective looking in, that number/statement seems be unrealistic…”, suddenly a new discussion begins and it’s either positively affirmed by the whole group, or the numbers are changed.  Remember, group think and yes-men are counter-productive to what we want for an analysis.

One final thought.  We are trying to model a probable future event.  It is inherently comprised of uncertainties and there should be initial disagreements during the data gathering phase.  Embrace it, focus it, and challenge it.  So let’s now discuss the estimated range of people who will disagree with me.

Ed has worked in cybersecurity for almost 20 years as a professional information security provider. Ed’s current role at Evolver, a Converged Security Solutions company, connects him face to face with the customer – and their data. His FAIR analyst certification means he knows which sets of data are the most valuable, can determine the amount of monetary risk an organization has based on the way it handles its data, and can make recommendations about each. He is CISSP-ISSEP certified and is an instructor for George Mason University’s Essentials of Factor Analysis of Information Risk (FAIR) Course.

See the original version of this post on the Evolver blog


What Makes a Good Risk Analyst?

5 Habits for Highly Effective Risk Analysis  

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37