Survey: What first steps would you recommend to anyone looking to launch a FAIR program? Share your experience! We're collecting your (anonymous) tips to publish.
Click here to take our one-minute survey now!
Over 7,000 risk and security professionals) representing 35% of the Fortune 1000 companies) have joined the FAIR Institute, the non-profit organization dedicated to advancing the discipline of measuring and managing information risk. SC Media named the Institute One of the Most Important Industry Organizations of the Last 30 Years. Members network and share learning with their peers and the experts at 19 local chapters, the annual FAIR conference and the LINK discussion board. Join the FAIR Institute now (it’s free).
For starts, get the FAIR book Measuring and Managing Information Risk: A FAIR Approach – you may be surprised to learn that it’s a very accessible read, not requiring any heavy statistical or infosecurity knowledge. As FAIR Model creator Jack Jones says, the main pre-requisite to be a FAIR analyst is critical thinking skill. Whether you’ve read the book or not, your next step should be formal FAIR training through the Institute’s technical partner, RiskLens, taught by experienced FAIR analysts with extensive experience introducing FAIR to large organizations. Learn about FAIR training courses online and on-premise and at these public sessions in 2020:
National Harbor, MD – May 31 & June 1 (Just before the Gartner Security and Risk Summit)
Many organizations have found that the first and lasting benefit of introducing FAIR is to level-set conversations about risk across teams, departments and disciplines by training on FAIR’s consistent and logical taxonomy and vocabulary – no more Tower of Babel experiences when infosecurity, enterprise risk management, finance, business continuity and other risk stakeholders get together. Successful FAIR pioneers have hosted internal roadshows to introduce the FAIR Model and demonstrate how it’s used to decompose risk into analyzable factors. For an introduction for senior management, FAIR Institute Executive Briefings are a free service delivered in person or by video conference. Contact us to arrange a Briefing.
Learn more in these blog posts:
To Make Your Risk Management Program Fly, First Fix Your Language
How to Speak Cyber Risk (and Be Understood by the Business)
And for a good general introduction, read the eBook by Jack Jones An Adoption Guide for FAIR
Re-live the RSA seminar “A FAIR™ Approach to Cyber and Technology Risk Measurement” - View the slides (FAIR Institute membership and LINK discussion board sign-up required).
We’ve repeatedly heard this advice coming out of successful FAIR introductions: The best way to start analyzing is to…start analyzing. As Jack Jones writes, find “at least one clear and specific value proposition” for using FAIR, for instance, a quick win by supporting with risk analysis an immediate decision of limited scope, and try your hand at applying the model to identify a risk scenario. You’ll need to collect data to feed the model inputs for frequency and magnitude of loss events, so this is your opportunity to pick the brains of subject matter experts in the organization (who ideally attended your FAIR introductory roadshow).
Some guidance here:
Anatomy of a FAIR Risk Analysis: Confidential Data in Email
Where to Find Risk Scenarios to Analyze
3 Tips on How to Talk to SMEs about Cyber Risk Quantification
FAIR-U is the officially sanctioned training app from the FAIR Institute. The tool is offered free of charge by RiskLens, the Institute’s technical advisor. While it’s limited to analyzing one scenario at a time, FAIR-U lets you sample the main points of a FAIR analysis, including guided data collection, setting calibrated data ranges, running a Monte Carlo simulation and generating a report quantifying probable risk in dollar terms. To build a FAIR-based risk management program, organizations typically advance to the full-scale RiskLens Platform, which can run multiple analyses for top risks assessment, cost benefit analysis, audit findings prioritization and other enterprise-level decision-support functions.
Learn more: Practice FAIR on Our Free Training App
Related:
How to Start a FAIR Program? Start Small
[Video] From the FAIR Breakfast at RSAC, 3 Tips on Introducing FAIR to Your Organization