Walmart is a FAIR champion in infosec (Joel Baese, Director, Governance and Decision Science, Information Security, has been a FAIRCON honoree and panelist) but the retailing giant is also pioneering quantitative risk analytics on the physical security side, as Christina Nelson, Director, GISAT Risk and Strategy, told the 2018 FAIR Conference. If you’re looking for tips on introducing FAIR to operational risk practitioners – or indeed, general wisdom on evangelizing a FAIR program – watch this video (FAIR Institute membership required) of Christina’s talk for insights based on solid experience.
Some key takeaways:
- A “worst case scenario” mentality dominates thinking among physical security folks, equating risk with disasters.A big eye-opener for management was the presentation of FAIR findings as annualized loss exposure (ALE) showing that frequent seemingly small scale risks could actually be more costly on an annualized basis than some disasters.
- It’s difficult to get numbers out of physical security specialists but showing them a FAIR-style calibrated estimate process can break through. And “even if no one is comfortable with the numbers, the process of thinking through your risk scenario in this structured fashion is invaluable.”
- “Don’t just sell FAIR as measurement for measurement’s sake, sell a whole package”: Christina shows this chart to the right around the company, with the many areas where FAIR supports decision making in operational risk.