Looking for a Quantitative Cyber Risk Specialist, a Risk Quantification Analyst or even a Senior Factor Analysis of Information Risk (FAIR) Analyst? It’s a sign of the rapid adoption of FAIR that organizations have recently been advertising for new hires with those titles
It’s an issue that comes up again and again at FAIR conferences, chapter meetings, webcasts or discussion boards: “I get the value of FAIR quantitative risk analysis – but I don’t know how or where I could start implementing it.”
You’ve tried your hand at running one-off scenarios with FAIR, say to identify your top risks – now learn an ongoing use for FAIR to monitor your key risk indicators (KRIs).
‘Low’ loss exposure scenarios are often cause for celebration, or at least an exhausted sigh of relief from the CISO who is already juggling the remediation plans of countless other higher risk scenarios.
In basic terms, a company’s “risk appetite” is the level of risk the organization sees as acceptable. Not surprisingly, some use the phrase “risk tolerance” interchangeably with “risk appetite” (there is an important difference: "tolerance" is how far off "appetite" the organization will go).
Risk register has become a dirty phrase. It is a catch-all for any concern that keeps an executive up at night. Items such as “insiders”, “the Cloud”, and “data loss” adorn risk registers in organizations across industries. FAIR trained or not, it does not take a risk expert to tell you those items are not actionable.
Industry guidelines and standards often strongly recommend or even require a “risk assessment” to satisfy various regulatory and compliance requirements. However, not all assessments are created equal as one entity’s assessment of risk may be another’s control evaluation.
As auditors , you often get a bad rap. Given audit is a compliance focused profession, one of the many aspects of your job is telling someone that the way they do theirs is wrong, which is not a fun conversation for either party.
On June 18, join a distinguished group of cyber risk executives and fellow FAIR Institute members, many in town for the Gartner Security & Risk Management Summit 2019, as they discuss "Tips and Best Practices on How to Build a Quantitative Risk Management Program With FAIR."
As an advocate for FAIR, I spend a great amount of time preaching the benefits of quantitative risk analysis over the qualitative approach. Ranking of risks 1-5 or red-yellow-green based on subjective judgments doesn’t measure up (literally) to a standard model like FAIR that produces consistent results expressed as probabilities.