“What They Didn’t Teach You in FAIR School” – Ground-level Insights on Building a Successful Quantitative Risk Analysis Program from Jack Whitsitt

Jack Whitsett - FAIR Institute Advisory Board MemberJack Whitsitt has been a FAIR practitioner since 2016, built the quantitative risk analysis program at Bank of America and is now doing the same at Datto (the services provider to MSPs), is a SIRA and FAIR Institute board member – and officially qualifies as a wise man of the FAIR movement.

In a talk titled “What They Didn’t Teach You in FAIR School” for the Greater Ohio Chapter of the FAIR Institute,  Jack presented 21 pithy, ground-level insights on starting, socializing, and advancing a FAIR risk analysis program (see them all as stickies in the image below).

Here are three highlights but you really should watch the entire talk – it’s an education in 30 minutes.


Watch “What They Didn’t Teach You in FAIR School” (FAIR Institute Membership required). Memberships are free to qualified business, security, and risk professionals. Join the FAIR Institute.


Don’t Let FAIR Bully You

“I see a lot is people try to map risk analyses over to FAIR and they try to stick with the definitions of the factors. Don’t.

“FAIR is easy, it’s open it’s flexible. It’s really taking a series of Venn diagrams and Monte Carlo-ing them together so that you get uncertainty reduced… 

“If FAIR says this box is for Productivity loss, you can call it whatever you want. At Datto, we are creating our own forms of loss particular to the organization. There’s a subset of customers that if impacted are going to respond entirely differently than another subset of customers. So, for us those are really two different forms of loss.”

Nobody Knows What Controls Do 

“Almost no one I’ve met knows what controls actually do. They’ll map it to pieces of the NIST CSF, they’ll talk about prevent, detect, mitigate…The kill chain is a bit of a red herring – that’s just telling us what place in a series of steps a control might have an impact.

“But it doesn’t tell us if it is really interfering with the bad guys. Bad guys aren’t natural disasters, they’re thoughtful, they’re going to pivot.

“So, when you are thinking through things like resistance strength, and what does a control do, you’re really asking how it is impacting the bad guys’ ability to run through their value chain and achieve their objective…Is it denying surface area over time to the threat actors, is it denying visibility to the surface area, is it making the surface area difficult…

“One of the best pieces of advice I can give is to think about how controls are interfering with the bad guys in their operations, not so much is it stopping this chain of events.   

You Should Be the Center of the Universe

“When we talk about people and communication, it takes a village, and you should be at the center of the universe. 

“One of my frustrations is that often FAIR is treated as in addition to or adjacent to what’s happening in information security.

“If you have something that’s telling you how much risk you have…that should be the engine that runs your organization. If you are acting and you don’t know how much risk there is, then what exactly are you doing? Are you managing risk, are you doing the right thing? The answer is no. 

“So, from an output standpoint, there isn’t a part of the organization that shouldn’t have a cascading impact from FAIR.”

Jack Whitsitt on What They Dont Teach You in FAIR SchoolGet the rest of Jack Whitsett’s FAIR tips - Watch “What They Didn’t Teach You in FAIR School

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37