If you were among the 700 RSA Conference attendees who sat in on one of the two half-day seminars introducing FAIR™, led by Jack Jones and Jack Freund (photo), co-authors of the FAIR book, you got a good look at the power of the FAIR model to transform how organizations think about, communicate and manage risk. If you’re ready to be a FAIR change agent in your organization, here are five next steps you can take.
Survey: What first steps would you recommend to anyone looking to launch a FAIR program? Share your experience! We're collecting your (anonymous) tips to publish.
1. Join the FAIR Institute, Learn from Your Peers and the Experts
Over 7,000 risk and security professionals) representing 35% of the Fortune 1000 companies) have joined the FAIR Institute, the non-profit organization dedicated to advancing the discipline of measuring and managing information risk. SC Media named the Institute One of the Most Important Industry Organizations of the Last 30 Years. Members network and share learning with their peers and the experts at 19 local chapters, the annual FAIR conference and the LINK discussion board. Join the FAIR Institute now (it’s free).
2. Get FAIR Training for Yourself and Your Team
For starts, get the FAIR book Measuring and Managing Information Risk: A FAIR Approach – you may be surprised to learn that it’s a very accessible read, not requiring any heavy statistical or infosecurity knowledge. As FAIR Model creator Jack Jones says, the main pre-requisite to be a FAIR analyst is critical thinking skill. Whether you’ve read the book or not, your next step should be formal FAIR training through the Institute’s technical partner, RiskLens, taught by experienced FAIR analysts with extensive experience introducing FAIR to large organizations. Learn about FAIR training courses online and on-premise and at these public sessions in 2020:
National Harbor, MD – May 31 & June 1 (Just before the Gartner Security and Risk Summit)
3. Introduce FAIR to Your Organization
Many organizations have found that the first and lasting benefit of introducing FAIR is to level-set conversations about risk across teams, departments and disciplines by training on FAIR’s consistent and logical taxonomy and vocabulary – no more Tower of Babel experiences when infosecurity, enterprise risk management, finance, business continuity and other risk stakeholders get together. Successful FAIR pioneers have hosted internal roadshows to introduce the FAIR Model and demonstrate how it’s used to decompose risk into analyzable factors. For an introduction for senior management, FAIR Institute Executive Briefings are a free service delivered in person or by video conference. Contact us to arrange a Briefing.
Learn more in these blog posts:
And for a good general introduction, read the eBook by Jack Jones An Adoption Guide for FAIR
Re-live the RSA seminar “A FAIR™ Approach to Cyber and Technology Risk Measurement” - View the slides (FAIR Institute membership and LINK discussion board sign-up required).
4. Find a Pain Point to Analyze
We’ve repeatedly heard this advice coming out of successful FAIR introductions: The best way to start analyzing is to…start analyzing. As Jack Jones writes, find “at least one clear and specific value proposition” for using FAIR, for instance, a quick win by supporting with risk analysis an immediate decision of limited scope, and try your hand at applying the model to identify a risk scenario. You’ll need to collect data to feed the model inputs for frequency and magnitude of loss events, so this is your opportunity to pick the brains of subject matter experts in the organization (who ideally attended your FAIR introductory roadshow).
Some guidance here:
5. Run an Analysis on the FAIR-U Training App
FAIR-U is the officially sanctioned training app from the FAIR Institute. The tool is offered free of charge by RiskLens, the Institute’s technical advisor. While it’s limited to analyzing one scenario at a time, FAIR-U lets you sample the main points of a FAIR analysis, including guided data collection, setting calibrated data ranges, running a Monte Carlo simulation and generating a report quantifying probable risk in dollar terms. To build a FAIR-based risk management program, organizations typically advance to the full-scale RiskLens Platform, which can run multiple analyses for top risks assessment, cost benefit analysis, audit findings prioritization and other enterprise-level decision-support functions.
Learn more: Practice FAIR on Our Free Training App