At the FAIR Institute Breakfast during the recent Gartner Security and Risk Management Summit, Robert Immella FAIR cyber risk analyst for KeyBank, gave a talk filled with actionable tips for anyone looking to stand up or power forward a quantitative cyber risk management program.
See video of Robert’s talk to the FAIR Institute Breakfast below
Robert covered two key points that can help you on your path to FAIR adoption - winning executive buy-in and proving out one of the key values of cyber risk quantification, analyzing the cost-benefit of a security purchase - in this case an email filter. Another highlight of his talk: three obstacles in growing a FAIR program and how to overcome them:
Obstacle # 1 Slow Progress with Analyses
Data gathering for analysis is a process that’s often out of your control, dependent on getting on the calendars of Subject Matter Experts (SMEs) and then inching them along to produce results. “What I can control when gathering information is not to be perfect,” and bogging down with analysis paralysis.
“I try every time as I approach an analysis to have an 80/20 mentality…You can always go back and tweak the numbers later…Remember the FAIR model is allowing you to work in ranges so it gives you that flexibility.”
Questioning SMEs can be slow going if you approach it from the point of view of FAIR analysis and what you need to fill out the FAIR variables.
Robert’s team turned the focus around and instead of asking about “vulnerability” they might say “What’s the likelihood of privileged insiders getting customer data from the XYZ data base?.. Educate them a little bit on FAIR but you still need to speak to them in their language even if its technical and with respect to their asset.”
Obstacle # 2 Issues Reporting Results
Make your analysis reporting compelling - always include a future state. Robert found that just presenting a current state analysis of Top Risks, for instance, didn’t raise much interest. Adding a future state showed a risk reduction scenario and captured attention.
For inputs for a future state, Robert asks SMEs if they have any projects coming online soon or even if they had “unlimited budget” and could purchase new technology they’ve been craving—and if that fails, he simply runs the analysis assuming three future states at 5/10/15% risk reductions as hypotheticals.
Robert also recommends a rationale template, a structured way to record answers from SMEs about the data and their thought processes, as an aid to answering questions about the inputs to the analysis, after your memory of the interview fades.
Obstacle # 3 Identifying SMEs and Managing SMEs
Robert keeps his own database of SMEs associated with every FAIR variable from past analyses. So, as he scopes an analysis “right away I can sort this list out…It’s an easy way to figure out who can give you what.”
Watch the video of the talk by Robert Immella, Key Bank, at the FAIR Breakfast:
More from Robert in the Q&A session at the FAIR Breakfast:
Your peers are already mingling at the FAIR Institute (over 5,600 of them), the market is here (30% of Fortune 1000 companies are represented at the Institute), and many FAIR champions are sharing their stories (“Meet a Member” blog series). So, don’t delay anymore and join the risk quantification revolution! Become a FAIR Institute member.