With FAIR – and risk quantification -- increasingly accepted as the standard for cyber risk analysis, FAIR Institute Chairman Jack Jones talked to what’s next in his keynote address to the recent 2019 FAIR Conference: Setting up successful FAIR-based programs that manage risk cost-effectively.
Watch the video of Jack’s keynote (FAIR Institute membership and LINK community site membership required). Slides are attached.
Wherever you are in your FAIR journey, you’ll want to hear Jack’s advice on each stage of forward momentum. Some sampling:
“Organizations tend to not like change [and] logic does not always prevail. You have to demonstrate meaningful value at an acceptable cost…We’re competing against a zero cost current state for risk analysis…It’s free and anybody can do it…All the cost is borne downstream when we get burned through breaches because we couldn’t identify and focus on the things that mattered most.”
Understanding the Value of a FAIR Program
“I like to think of a continuum of cost-efficacy in a program…The first value proposition is just using the FAIR ontology as a framework for getting clarity about what it is we are talking about trying to manage…The second is supporting operational decisions, the third is strategic support and the fourth is the notion of automated operational decision support.”
Planning a Roadmap
“Before you get into what your roadmap should look like, you need to ask yourself some questions: Do you have executive support? Is there already a recognized need? If not, how can you get people on board quickly? If do have executive support, which pain points does it make sense to solve first?”
Getting Past the Hard Part
“When you start doing this, it is going to feel hard at first because you’re going to spend more time getting data and getting comfortable with the process. That’s normal and natural. But it’s one of those things that gets better, more cost effective and efficient, the more you do it. Just recognize that you’ve got to start somewhere."