In this short 5 min video, FAIR author Jack Jones gives an overview of the FAIR model for risk measurement and management, the training opportunities for FAIR and the professional organization, the FAIR Institute. He also covers the open standard version of FAIR and the enterprise SaaS version from RiskLens.
Jack Jones is one of the foremost authorities in the field of information risk management. A veteran chief information security officer (CISO) for major financial institutions, he developed the FAIR model to give risk managers a standard way to quantify risk in business terms. He is chairman of the FAIR Institute.
Jack was interviewed by ITSPmagazine.
Q: What is the FAIR Institute?
A: The FAIR Institute is a non-profit organization dedicated to building a community of people who are wanting to advance the field of risk management and risk measurement, mostly focused right now on cyber and technology risk but it is expanding beyond that as well.
Q: How do people get more information on FAIR?
A: There’s The Open Group, with its information about what it refers to as Open FAIR, the open standard, the FAIR Institute with FairInstitute.org, a very active blog with a ton of information on it, and of course RiskLens.
RiskLens is a company that’s developed an enterprise class software as a service (SaaS) application that makes measuring risk and reporting it far easier. Think of it as a sort of TurboTax for risk measurement: Rather than dealing with all the tax forms, and trying to figure out the tax code, it’s tried to simplify that process. It has some of the largest companies in the world as customers right now.
And there’s training as well for organizations that want to start maybe not with software but with understanding the problem space better.
Q: So who has really adopted FAIR?
A: Some of the biggest companies in the world have adopted it. But more than that, some of the smallest companies in the world use it, too. There’s a misperception that you have to have an organization of a certain size or maturity or spend or whatever to measure risk. Fortunately, that’s not true, that’s a fallacy.
FAIR is first and foremost a framework for critical thinking about risk of any type. There is no prerequisite in terms of your size or maturity to think more clearly and effectively about the problem you are tasked with managing.
So at the simplest level, FAIR is a framework for thinking about risk in clearer and more precise terms which sets the stage for measurement that can be as simple as the watercooler-wet-finger-in-the-air sorts of things, but again based on a more calibrated mental model of the problem, all the way up to doing very sophisticated, complex sorts of analyses that can in some cases require higher levels of maturity. But again there’s a lot of misperception there, it’s not nearly as complicated as people think.
Q: How are we getting people educated and trained?
A: There are training programs. Back to your question of adoption, The Open Group, the international standards consortium, has adopted FAIR as the basis for their risk management measurement practices, and they have a professional certification. And there are companies like RiskLens which I’m a part of too, which offers training.
There’s a book out there on FAIR, Measuring and Managing Information Risk: A FAIR Approach, which I co-authored with a friend of mine, Jack Freund, and last year was inducted into the Cybersecurity Canon as a must-read for the industry.
There are resources out there—and The Open Group has resources, too—where people can go learn on their own but we’re developing more and more training. We’re in the process of developing an online curriculum that people can take at whatever pace they like so there are more and more resources.
And the FAIR Institute, the non-profit organization, has free membership. Already more than a thousand people in less than a year signed up for it from around the world, from all industries and all organizations and all sizes, to share ideas and challenges and solutions related to FAIR and risk measurement and management in a community setting so that’s another really good resource.
Q: One of the things I really like is to have is diverse teams…Do you see that in risk as well?
A: Absolutely. It’s critical. In order to measure risk effectively, a couple things have to exist. You have to have the right skill sets which very often you’re not going to find in one person. You need to bring to the table an understanding of the threat landscape, the control conditions, and that by itself should suggest a combination of different skills and diverse capabilities and such. You also have to have a basic understanding -- even if you’re waving a wet finger in the air—of probability principles, no PhD required. So there is a need, a desperate need for that diversity in making these measurements that drive such critical decisions.
Q: Thank you. Excellent. Learned a lot.