If you need a concise manifesto to convince others in your organization of the need for FAIR™ cyber risk quantification – particularly in budget-setting season—Jack Freund, PhD, co-author of the FAIR book Measuring and Managing Information Risk, has written it, just out in the ISACA Newsletter.
In Analyzing Cybersecurity Spending in Depth, Jack argues that the recommended controls in NIST Special Publication (SP) 800-53 and other industry standards are so numerous that “many will begin implementing these controls and never arrive at the end of their implementation cycle” given the demands of ongoing cyber hygiene and shifting organizational initiatives.
“In any environment where resource allocation faces scarcity, economic principles must be applied,” Jack writes, vs. a “gotta catch ‘em all” mind-set.
FAIR, with its value-at-risk approach, “gives you a way to focus on the riskiest scenarios. A fully formed risk scenario will contain a statement of loss that helps top leadership in your organization focus on what is imperiled along with why it should be funded.
“Further, relevant control solutions (such as those from NIST SP 800-53) can be paired with loss scenarios to enable decision-makers in the organization to make a fully informed choice.”
Read – and distribute in your organization – the rest of Jack’s manifesto in the ISACA Newsletter.
More from Jack Freund: