Cyber risk quantification has often been seen as difficult or impossible due to the perceived lack of data on the subject. Many organizations do not have sophisticated logging systems which allow them perfect hindsight into past cyber events.
One common objection to quantitative risk analysis is that is harder or less efficient than its qualitative counterpart. While it is true that a quantitative analysis will always be more rigorous than the wet finger in the air approach, what I have found in becoming a quantitative risk analysis expert and training others for RiskLens, is that these notions of difficulty or inefficiency often come from not following best practices.
Many FAIR program leaders start at a ground level and work their way up to a board presentation. Chris Golden started at the top, as he tells FAIR Institute Director Luke Bader in this podcast interview, demonstrating FAIR to the board for the green light on a risk quantification initiative.
In March, 2019, I passed the ISACA CRISC exam and got certified in the next month. The CRISC is a great certificate because it shifts your mindset and helps you to establish standardized information risk management practices.
However, I decided not to stop there, but to further search for holistic and effective standards for cyber risk quantification
Researchers at the Federal Reserve of New York recently issued a study saying that intrabank “wholesale” payments are so concentrated in the top five banks that if any one of them were disrupted by a cyber attack, the result could be a liquidity crisis in the banking system – a kind of cyber run on the banks.
The FAIR™ Enablement Specialists (FES) team connects Institute members with the resources they need to build quantitative risk management programs, from educational materials to local and national events (like the annual FAIR Conference) to getting advice on best practices from FAIR experts and the FAIR community (like the LINK discussion platform).
RSA Conference 2020 included FAIR™ among one of the top ten trends in cybersecurity, based on the 2,400 speaker applications for this year. The RSAC 2020 Trend Report’s #7 trending theme “Frameworks, Frameworks, Frameworks” covered FAIR and the NIST CSF (which this year added FAIR to its recommended resources).
In this webinar sponsored by our technical advisor, RiskLens, hundreds of your peers in cybersecurity and risk came to get answers to some burning questions.
How do I get more value from the NIST CSF Framework?
In another milestone for acceptance of FAIR™ and cyber risk quantification, COSO has issued its first guidance document on applying the COSO Enterprise Risk Management Framework to cyber risk management – and included a reference to the FAIR model
We are hosting multiple FAIR™ Analysis Fundamentals Training Courses throughout the year and across the country. Take advantage of one of these excellent opportunities to work with expert trainers in person