Cybersecurity Risk Quantification: From Fad, to Trend, to Mainstream – Part 1

Fad (noun): an intense and widely shared enthusiasm for something.

Trend (noun): a general direction in which something is developing or changing.

Mainstream (noun): the ideas, attitudes, or activities that are regarded as normal or conventional; the dominant trend in opinion.

steve-tabacek.jpgIt is rare in today’s marketplace to invent a process or technology that has the potential of changing the industry. At the end of 2010, I was freshly out of a successful exit with my first data backup/business continuity company and had very little desire to grow another startup. The pause between startups only lasted three months and then my longtime friend, Jack Jones, asked me to consider joining him to start a software application company based on something called Factor Analysis of Information Risk (FAIR).

I had already known about FAIR from conversations I had with Jack while he was CISO at Nationwide Insurance. Jack told me the story of how it all got started almost a decade earlier, when a sharp business executive asked him, “How much risk do we have?” and “How much less risk will we have if we fund your strategy?” That pivotal conversation was the catalyst which inspired Jack to develop FAIR. Jack firmly believed that FAIR had the potential to change the way organizations measure, analyze, and communicate InfoSec risk.

Still a bit skeptical about the impact on the industry, I remember asking him the following questions:

  1. “Is FAIR just a fad? “Who else shares your enthusiasm for FAIR?
  2. “Is the marketplace mature enough for FAIR”?

I still wasn’t certain that FAIR had a strong enough basis to develop an enterprise application and start a business, so I decided to do some due-diligence and validate Jack’s hypothesis. Six months of phone calls and visits with CISOs and Risk Officers from some of the country’s largest businesses yielded some interesting results. Just a reminder, our timeframe point-of-reference was 2010. The year of the cyber breach (2014) had not occurred yet.  Most CISOs were control-centric, focused on regulatory guidelines, and hadn’t been enlightened to the value of FAIR.

The silver lining came from several well-recognized, thought-leading CISOs and Risk Officers, who clearly understood the value of quantifying IT/cyber risk into business terms. I remember them explaining to me how quantifying InfoSec risk into business terms would help justify their budgets, help with resource prioritization, and help communicate InfoSec risk to their executive peers. A good indication for me that they were serious about finding a solution to solve their pain was when several companies paid us in advance to develop a FAIR-based enterprise application.  At the end of my due-diligence, I was absolutely certain that FAIR was something that would someday develop into a trend and then become mainstream.