Security professionals can close the communication gap with the rest of the business by analyzing cyber risk in financial terms with the help of the FAIR model. But they also need to take a second step: Learn the business.
“Far too often, risk analysts are brimming with knowledge of controls and threats but have little understanding of how an organization makes money. This means they are innately unable to complete a risk assessment as they are missing information to appropriately assess business impact.”
Jack, the co-author of the FAIR book Measuring and Managing Information Risk, offers this to-do list of topics to learn:
“Having a working knowledge of these areas of the enterprise enables a risk analyst to better assess loss magnitude forms such as productivity, competitive advantage, fines and judgements, and reputation damage,” Jack writes. “Upgrading your business acumen will improve your ability to assess business loss and by extension risk.”
Also by Jack Freund: ZombieLoad at the Gates – FAIR on Defense (FAIR Institute Blog)