If you’re introducing FAIR™ and cyber risk quantification to your organization, look at this presentation from the 2021 FAIR Conference by Cedric De Carvalho, Cyber Risk Manager at Richemont International SA, corporate home to 26 luxury brands (or “maisons,” including Cartier watches and jewelry and Mont Blanc pens). You might want to just copy Cedric’s slides – they’re an effective, high-level, visual view of the value of FAIR.
Practitioner Use Case Panorama
Cedric started by setting FAIR entirely in a business, not a cyber-technical context:
“Cyber risk, like any function in the company, is about generating value,” he said.
He presented FAIR as a kind of basic psychological support tool, empowering the business to understand, decide and act on risk because of three features:
Then he tied FAIR to two guiding principles of security at Richemont, Security Is Everyone’s Responsibility and Security by Design (“meaning that people involve us as soon as possible in different projects. …making us more proactive and less firefighters”) – and emphasizing again that business growth is at the root of security strategy.
Getting down to use cases, Cedric presented the risk and security team’s projects as a series of building blocks.
He introduced the notion of industrializing FAIR, taking advantage of the features of his risk management platform to gather data and plug it into analysis:
And finally, he presented a forward look at where the FAIR program was headed, automating through rapid risk assessment for quick prioritization or, if above risk appetite, passing to analysts for detailed assessment:
“We think this is the future of cyber risk quantification and cyber risk management as well, to leverage automation.”