Cybersecurity Risk Quantification: from Fad, to Trend, to Mainstream – Part 2

In the first part of this two-part blog, I discussed maturity factors which propelled Factor Analysis of Information Risk (FAIR) and RiskLens from a fad to a recognized trend within the marketplace. As a recap, it started with business leaders identifying a need to quantify cyber risk in business terms (dollars & cents). This was followed by much acclaimed thought-leader, Jack Jones, developing FAIR, and then early-adopter CISOs and risk managers deriving value from FAIR and the RiskLens software.

In part two of this blog, I will discuss three notable maturity factors which have moved FAIR and RiskLens from trend toward mainstream. The relevant factors include:

  1. Formalization of FAIR into a standard, educational curriculum, and certification
  2. FAIR model and RiskLens software validation
  3. Growth of a FAIR user community

Formalization of FAIR into a Standard, publishing an education curriculum and operationalizing a certification program were significant steps leading to industry acceptance of the first cyber risk quantification standard. Jack Jones, assisted by Chad Weinman of RiskLens, were the key content contributors to The Open Group. The Open Group Security Forum membership then reviewed, provided feedback, and eventually approved the Open Risk Taxonomy Technical Standard (O-RT), Open Risk Analysis Technical Standard (O-RA), and the Open FAIR Certification Program. Clearly more than a trend, cybersecurity and risk professionals now recognize the value of a FAIR certification on their resume.

Open_Group_Standards.pngFAIR model and RiskLens software validation were additional factors in moving FAIR and RiskLens from trend toward mainstream. The validation is supported by published papers by industry analysts, including Gartner. For Gartner customers, two references are available. “Comparing Methodologies for IT Risk Assessment and Analysis” G00256964 which compares FAIR to other risk assessment methodologies. It clearly identifies FAIR as the only Standard and methodology for quantifying IT/cyber risk into monetary/business terms. The second reference recognizes RiskLens (formerly CXOWARE) as the 2015 Cool Vendor in Risk Management, specifically for helping CISOs, senior executives and boards of directors understand and articulate cybersecurity risk in business terms.

Fair_Institute.pngFinally, helping to propel FAIR and RiskLens from trend toward mainstream is the launch and growth of the FAIR user community,called the “FAIR Institute.” The FAIR Institute was created as a non-profit, user-managed community. Here, information risk professionals of leading organizations share and learn about digital risk scenarios affecting their industry, collect and create information risk management best practices, and learn how to better communicate with their peers, executives, boards, and stakeholders about information risk.

Market leaders from the world’s largest financial institutions, retail companies, healthcare companies, and energy companies have embraced both FAIR and RiskLens. Clearly, FAIR and RiskLens have moved from fad, to trend, and are on the path to mainstream marketplace adaptation.