Attendees at the FAIR Institute Breakfast during the recent Gartner Summit on Security and Risk Management heard tales of three successful FAIR cyber risk quantification programs from Matthew Martin of LPL Financial, Robert Immella of Key Bank and, lastly, Musso Shaikh, Program Manager, Cyber Threat Intelligence, at Fannie Mae, the big provider of mortgage financing.
Looking back at the first two years of FAIR adoption, Musso had four points of advice for launching and evangelizing risk quantification at your organization:
For more tips from Musso, watch the video of her talk below.
1. Develop a robust set of scenarios as a foundation.
Musso and team gamed out their likely threat communities, critical assets, varied attack methods and range of potential effects, then identified an initial top five risk scenarios — “this gave us the foundation to really move forward.”
2. Establish FAIR’s credibility
“As we introduced it to the organization, there were some question on ‘How rigorous is your process?’.” The team was able to clear FAIR through Fannie Mae’s model-risk oversight evaluation process. “It was time intensive but we were able to provide everything they needed and we got the thumbs up. Then we had better recognition throughout the organization that this is something that’s been vetted. It really put the wind in our sails.
3. Use FAIR analysis as a budgeting tool
Musso and colleagues took their library of scenarios into the budget planning for strategic initiatives, mapped the initiatives to the various assets and potential threats, assessed whether the initiatives would reduce vulnerability or threat even frequency or other FAIR factors, then did quick future-state analyses through the RiskLens Platform. “We were able to demonstrate from a forecast perspective what the risk reaction would look like and aggregate that across the strategic initiatives. It gave management a great additional data point as they were considering which strategic initiatives would give the most bang for my buck.”
4. Train on FAIR as a communication tool
“Your training should be tailored to senior leadership and other management functions where I’d say the output of FAIR is numbers but the main value proposition is being able to speak the same language. For instance, one of my efforts is with the resiliency team, as they look at the financial impacts of an outage. It would be great if they all understood the six forms of loss and were really on the same page.
"A lot incident management within the company is about — ‘My app was down for four hours, that really had reputational impact.’ I say ‘Is that really reputational impact? Is that customer no longer going to do business with you?’ So being able to have those conversations goes a long way.”
For more tips from Musso, watch the video of her talk at the FAIR Institute breakfast.
More from Musso, Matt Martin and Rob Immella in the Q&A session at the FAIR Breakfast:
Join us for the 2019 FAIR Conference, bringing leaders in information and operational risk management together to explore best FAIR practices that produce greater value and alignment with business goals. Gaylord National Resort & Convention Center, National Harbor, MD, September 24 & 25, 2019. More information on FAIRCON19.