You Attended the FAIR™ Seminar at RSA Conference 2020 – Here Are Next Steps to Start Your FAIR Program

RSAC20 - Jack Freund - FAIR SeminarIf you were among the 700 RSA Conference attendees who sat in on one of the two half-day seminars introducing FAIR™, led by Jack Jones and Jack Freund (photo), co-authors of the FAIR book, you got a good look at the power of the FAIR model to transform how organizations think about, communicate and manage risk. If you’re ready to be a FAIR change agent in your organization, here are five next steps you can take.  

Survey: What first steps would you recommend to anyone looking to launch a FAIR program? Share your experience!  We're collecting your (anonymous) tips to publish.

Click here to take our one-minute survey now!


1.  Join the FAIR Institute, Learn from Your Peers and the Experts

Over 7,000 risk and security professionals) representing 35% of the Fortune 1000 companies)  have joined the FAIR Institute, the non-profit organization dedicated to advancing the discipline of measuring and managing information risk. SC Media named the Institute One of the Most Important Industry Organizations of the Last 30 YearsMembers network and share learning with their peers and the experts at 19 local chapters, the annual FAIR conference and the LINK discussion board. Join the FAIR Institute now (it’s free).  

2.  Get FAIR Training for Yourself and Your Team

For starts, get the FAIR book Measuring and Managing Information Risk: A FAIR Approach – you may be surprised to learn that it’s a very accessible read, not requiring any heavy statistical or infosecurity knowledge.  As FAIR Model creator Jack Jones says, the main pre-requisite to be a FAIR analyst is critical thinking skill. Whether you’ve read the book or not, your next step should be formal FAIR training through the Institute’s technical partner, RiskLens, taught by experienced FAIR analysts with extensive experience introducing FAIR to large organizations. Learn about FAIR training courses online and on-premise and at these public sessions in 2020:

Atlanta, GA – March 25 & 26

Dallas, TX – April 29 & 30

National Harbor, MD – May 31 & June 1 (Just before the Gartner Security and Risk Summit)

3.  Introduce FAIR to Your Organization

Many organizations have found that the first and lasting benefit of introducing FAIR is to level-set conversations about risk across teams, departments and disciplines by training on FAIR’s consistent and logical taxonomy and vocabulary – no more Tower of Babel experiences when infosecurity, enterprise risk management, finance, business continuity and other risk stakeholders get together. Successful FAIR pioneers have hosted internal roadshows to introduce the FAIR Model and demonstrate how it’s used to decompose risk into analyzable factors.  For an introduction for senior management,  FAIR Institute Executive Briefings are a free service delivered in person or by video conference. Contact us to arrange a Briefing. 

Learn more in these blog posts: 

To Make Your Risk Management Program Fly, First Fix Your Language

How to Speak Cyber Risk (and Be Understood by the Business)

And for a good general introduction, read the eBook by Jack Jones An Adoption Guide for FAIR  

Re-live the RSA seminar “A FAIR™ Approach to Cyber and Technology Risk Measurement” - View the slides (FAIR Institute membership and LINK discussion board sign-up required).

4.  Find a Pain Point to Analyze

We’ve repeatedly heard this advice coming out of successful FAIR introductions: The best way to start analyzing is to…start analyzing.  As Jack Jones writes, find “at least one clear and specific value proposition” for using FAIR, for instance, a quick win by supporting with risk analysis an  immediate decision of limited scope, and try your hand at applying the model to identify a risk scenario.  You’ll need to collect data to feed the model inputs for frequency and magnitude of loss events, so this is your opportunity to pick the brains of subject matter experts in the organization (who ideally attended your FAIR introductory roadshow). 

Some guidance here: 

Anatomy of a FAIR Risk Analysis: Confidential Data in Email

Where to Find Risk Scenarios to Analyze

3 Tips on How to Talk to SMEs about Cyber Risk Quantification

5.   Run an Analysis on the FAIR-U Training App

FAIR-U is the officially sanctioned training app from the FAIR Institute. The tool is offered free of charge by RiskLens,  the Institute’s technical advisor. While it’s limited to analyzing one scenario at a time, FAIR-U lets you sample the  main points of a FAIR analysis, including guided data collection, setting calibrated data ranges, running a Monte Carlo simulation and generating a report quantifying probable risk in dollar terms. To build a FAIR-based risk management program, organizations typically advance to the full-scale RiskLens Platform, which can run multiple analyses for top risks assessment, cost benefit analysis, audit findings prioritization and other enterprise-level decision-support functions. 

Learn more: Practice FAIR on Our Free Training App



How to Start a FAIR Program? Start Small

[Video] From the FAIR Breakfast at RSAC, 3 Tips on Introducing FAIR to Your Organization

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37