You’ve tried your hand at running one-off scenarios with FAIR, say to identify your top risks – now learn an ongoing use for FAIR to monitor your key risk indicators (KRIs).
‘Low’ loss exposure scenarios are often cause for celebration, or at least an exhausted sigh of relief from the CISO who is already juggling the remediation plans of countless other higher risk scenarios.
In basic terms, a company’s “risk appetite” is the level of risk the organization sees as acceptable. Not surprisingly, some use the phrase “risk tolerance” interchangeably with “risk appetite” (there is an important difference: "tolerance" is how far off "appetite" the organization will go).
Risk register has become a dirty phrase. It is a catch-all for any concern that keeps an executive up at night. Items such as “insiders”, “the Cloud”, and “data loss” adorn risk registers in organizations across industries. FAIR trained or not, it does not take a risk expert to tell you those items are not actionable.
Industry guidelines and standards often strongly recommend or even require a “risk assessment” to satisfy various regulatory and compliance requirements. However, not all assessments are created equal as one entity’s assessment of risk may be another’s control evaluation.
As auditors , you often get a bad rap. Given audit is a compliance focused profession, one of the many aspects of your job is telling someone that the way they do theirs is wrong, which is not a fun conversation for either party.
On June 18, join a distinguished group of cyber risk executives and fellow FAIR Institute members, many in town for the Gartner Security & Risk Management Summit 2019, as they discuss "Tips and Best Practices on How to Build a Quantitative Risk Management Program With FAIR."
As an advocate for FAIR, I spend a great amount of time preaching the benefits of quantitative risk analysis over the qualitative approach. Ranking of risks 1-5 or red-yellow-green based on subjective judgments doesn’t measure up (literally) to a standard model like FAIR that produces consistent results expressed as probabilities.
A busy week at the RSA Conference for the FAIR Institute. Tuesday at the SC Awards ceremony, the FAIR Institute received the extraordinary honor of being named one of the Most Important Industry Organizations of the Last 30 Years.
Yesterday, while speaking to a university cybersecurity class, I was accused of being pedantic when I pointed out a problem with the phrase “The risk of that impact…”