As Netflix Sr. Information Security Risk Engineer Tony Martin-Vegue sees it, risk analysts typically get involved with business decision-making too late and with too little to offer for decision support. What they miss, Tony says, is that security decisions are business decisions, not risk decisions. And business decisions are about balancing risk with reward.
In this 30-minute video talk, Case Study: How FAIR Analysis Supports Decision-Making at Netflix (requires a FAIR Institute membership to view – join the Institute now), Martin-Vegue tells how Netflix rethinks the role of risk analysis and applies FAIR early in the decision process “before risk is a problem for the company.” Instead of a risk statement as the starting point for risk analysis, Netflix starts with a business statement.
Tony Martin-Vegue was honored with the FAIR Institute’s FAIR Ambassador Award at the 2020 FAIR Conference in recognition of his longtime advocacy for FAIR, including founding and co-chairing the San Francisco chapter of the Institute.
With its analysis output in financial terms, FAIR provides the means to make balanced business decisions, weighing
- Risk vs. profit opportunity
- Security project costs vs. opportunity cost of investing in other priorities
- Increased security vs. end-user friction
Netflix deploys FAIR risk analysis for decision support at three levels:
- Tier 1 – Strategic decisions – major issues for the company with long time frames. Example: Analysis of in-house vs. outsourced code development
- Tier 2 – Tactical decisions – cost vs. benefit of decisions with one-year time frames. Example: Third party service choices.
- Tier 3 – Operational decisions – detailed analysis of large numbers of individual assets. Example: Endpoint protection alternatives (AV software, DLP, etc.).
“Framing risk in the form of decisions and not just bad things enables you to make comparisons between two or more things,” Martin-Vegue says. “And when you are making comparisons, you can see the balance completely. We miss this in a lot of risk shops, especially those that use [qualitative] red/yellow/green.”
Get more detail on the Netflix approach to decision-making and FAIR – watch the video Case Study: How FAIR Analysis Supports Decision-Making at Netflix now.