Decision support - it’s the outcome of any good risk analysis, and FAIR with its rigorous approach to risk scenarios is a great tool for clarifying the “what-if” options facing decision-makers.
As Grace Gair, Director, Technology Risk Management, Capital One, told the recent 2024 FAIR Conference, “because FAIR requires such precise language, such care around definition and terminology, organizations very quickly find new clarity that they never had before. You can’t hide behind a fuzzy definition.”
FAIR brings clarity to the two steps of decision support 1) identifying and running the analysis and 2) communicating the outcome to stakeholders.
At FAIRCON24, we brought together a panel of some of our most experienced FAIR practitioners to share tips on acing both steps to deliver the most value to our partners on the front lines of the business.
Panel: Empowering Business Decisions through CRQ Insights from the Practitioner's Perspective
>>Moderator: Daniel Stone, Director, Security & Privacy, Protiviti
>>Grace Gair, Director, Technology Risk Management, Capital OneLuis >>Valenzuela, Director, Data Governance and Data Loss Prevention, InComm Payments
>>Zach Kacprowicz, Senior Advisor, Cyber Risk Management, Cigna
Here are some of the key points we heard – Watch the video for much more.
1. Controls Prioritization Is Always a Good Starting Point
Tiering controls based on risk reduction quantified through FAIR and FAIR-CAM analysis clarifies a wide range of decisions, as Daniel said, “which controls we’re going to test, how frequently we have to test them which we need to have a high degree of assurance over and which are secondary.” He shared a chart of tiering NIST CSF controls:
2. Stay Closely Focused on the Decision to Be Made
Zach said “one thing I’ve learned is to start with the right question - understand the exact decision to be made and then show the minimum of information required to help make that decision. If you show too many loss exceedance curves or too many percentages, it opens it up to challenge and they might not understand your explanation…You need to turn this process into something that says this is a good idea or not.”
3. CRQ Psychology 101: Risk Quantification Motivates Decision-Makers
Luis said that putting a dollar value on cyber loss exposure puts a subtle psychological pressure on the operational side of the organization. “When they hear this, they know we are putting a certain responsibility on them. So, if things go south, they were in the line of decision and didn’t want to move that ticket forward…Let’s face it, a lot of companies willingly choose not to invest in security as a risk because they can spend the money elsewhere to get revenue. Cybersecurity is just one of many risks they are handling.”
Watch the video: Panel: Empowering Business Decisions through CRQ Insights from the Practitioner's Perspective
