A very positive review of FAIR from The Wall Street Journal’s WSJ Pro Cybersecurity Cyber Daily newsletter (subscription required) in a recent article profiling Charles Schwab’s implementation of a FAIR program: “Companies are moving to deploy methods to calculate the financial impact of cyber threats. Analysts say FAIR is gaining traction, especially among large corporations that already have experience with cyberrisk analysis.”
“The only downside is that there’s less excuse for not giving it a try,” newsletter Editor Steven Rosenbush writes.
Nick Hayes, senior analyst at Forrester Research, confirms the trend to The Journal. “When you’re talking about risk management frameworks, there’s a little bit more of ‘what’s the business impact to an organization and the likelihood of it.”
The Journal interviewed Brandon Young, Schwab’s managing director for cybersecurity framework and risk assessment (and a panelist at the recent 2018 FAIR Conference), who describes how his team will use FAIR on prioritizing the 1,500 issues covered in its annual security assessment. “We can see the forest from the trees.”
“The key value that FAIR provides is a consistent way to communicate these risks and what we should be doing about them as a firm…That will allow us to get away from articulating our exposure from just a color coded heatmap perspective,” and over time “start to show a quarterly trend up or down in terms of our controls’ effectiveness and the resulting annual loss expectancy associated with that.”
FAIR “evolves the conversation at the board level around those metrics and gets it away from the technical security jargon sort of discussion, and again around whether we’re effectively managing risk with that metric or not,” Young says.
Hayes from Forrester agrees that FAIR eliminates the “cognitive bias” of qualitative, numeric ranking scales for risk. Instead, The Journal says “FAIR puts a price tag on potential losses associated with them, and spells out what mitigation measures could cost.”
The Journal also gave a nod to The FAIR Institute, quoting Memberships and Programs Director Luke Bader that membership has grown to nearly 4,000 since its founding in 2016 and FAIR use among Fortune 100 companies has hit an estimated 30%.
Read The Journal article: Charles Schwab Looks to Risk-Based Model to Quantify Costs of Cyber Incidents (subscription required).