Vince Dasta is a long-time FAIR advocate and cyber risk quantification (CRQ) program builder, currently Senior Partner, Risk Strategy at SAFE.
In this webinar, he has an uncomfortable message for many other FAIR veterans: You are following longstanding best practices but still failing to affect business decision-making.
The good news: In the end, Vince delivers on a new approach to operationalizing CRQ that puts FAIR practitioners where they should be as valued advisers to the business.
Watch the webinar on demand:
Out with the Old, In with the Future: Why Operationalizing CRQ Can’t Wait
“FAIR has been the future of risk management for a decade,” Vince says. Why is it still so hard to get a successful FAIR CRQ program up and running?
He identifies five “failure modes”:
1. Scoping. Traditionally, that means identifying risk scenarios with the goal of quantifying top risks. Too academic. A better pract ice is scoping a business decision with bottom-line impact.
2. Data Paralysis. Here’s a modern problem. We actually have too much data coming in through telemetry and other sources. The old FAIR dictum has been you don’t need perfect data, you need accurate data only as precise as is useful. But how to define “precise” — again, working to impact a business decision will guide you. The key is to be transparent about gaps in the data.
3. Risk Reporting In Vain. Especially in third-party risk management, the analysts do beautiful work but the business rushes on without them. Here Vince presents a radical notion: FAIR-based CRQ analysis should not be a one/done report — “what’s useful is the delta”, the change over time from a baseline, showing a decision-makers how to aim forward.
4. Out of the Decision Workflow. “If we’re not built into project management or the budget process, we are going to be relegated to the cobweb-covered cubicle in the corner.”
5. Program Output Not Trusted. Ironic since FAIR is an open standard. Vince says that as FAIR programs try to scale to meet demand, analysts often compensate by creating shortcuts or subjective inputs that undercut credibility.
The solution is a FAIR program with repeatable, transparent processes; a user should be able to click through from any top-line result to the underlying data. But that’s difficult to achieve without full automation.
Vince segued into a radically new approach to FAIR program management developed by him and colleagues at SAFE. (Note: SAFE is the technical adviser to the FAIR Institute).
The new model starts with the proposition that “CRQ is not a report,” Vince says “it’s a risk management lifecycle, a continuous process.” And with a rhythm.
“The rhythm that we try to implement is:
It all rolls up into Cyber Decision Intelligence for the CISO or other business leaders to make better and faster decisions.
The New Operating Model emphasizes moving fast out of the box to deliver tangible value – and establish the rhythm – in the first 30 days of the program.
Vince recommends to start the FAIR program with a focus on one executive decision and on this schedule:
Week 1: Define scenario + success criteria ("what would change our mind about a decision?")
Week 2: Set a baseline model (risk acceptance ranges, risk drivers)
Week 3: Instrument the "diff" (signals + thresholds + review cadence)
Week 4: Deliver the first ‘decision package’ (not a risk analysis) + set an ongoing rhythm that can scale
“The output we should be producing is not a number, its recommended actions and risk tradeoffs,” Vince says, delivered as a package of decision intelligence.
“To think about operationalizing…the metric we should keep in mind is, did we influence the priority, spend or risk acceptance in a real decision.”
Get more actionable tips on bringing Cyber Decision Intelligence to your organization - watch the webinar now:
Out with the Old, In with the Future: Why Operationalizing CRQ Can’t Wait