The panelists were:
Watch as they relate how they handled these common issues:
View How to Get the Buy-In for a Quantitative Risk Management Program. A (free) FAIR Institute membership is required – join now.
Don’t ask permission, Mandy advises. “We quietly started a FAIR analysis effort to see if it would work,” then showed the results around. Jack started off with a PowerPoint presentation pitching FAIR, based on the superiority of its logic. It fell flat: “The big lesson is you need to meet people where they are and I was trying to push them a little farther than they were ready.”
Jack says that breaking out of the typical risk team posture of “we’re here to say no” and instead presenting a range of options based on FAIR analysis, was a credibility builder. “Tailor the message,” Tim suggests. “For practitioners, this is a new tool. For executives, this is a new way to understand risk and make decisions.”
“If a pen-test team comes in with a high vulnerability, we don’t correct them,” says Tim. “The important thing is how to consume it in our team and translate that into the common terminology, dollars.” Jack adds “but I do hold the line on difference between control deficiency and risk, that’s a very essential one.”
Tim advises that FAIR programs “build a risk factory, churn through assessments, and identify key risks on a proactive basis.” For his team, “it got you out of arguing why FAIR is better than other methodologies. It put it into a delivery model.”
For more tips on socializing and productizing FAIR, watch the video Get the Buy-In for a Quantitative Risk Management Program.