A window of opportunity opens after you, as a CISO, CIRO or other security and risk management leader realize you must transition away from qualitative risk measurement techniques towards quantitative. The next big step will be setting your team up to start the journey.
You can prepare the way by establishing a foundational mindset and a culture in your team based on Factor Analysis of Information Risk (FAIR™), the international standard for quantification of cyber and technology risk in financial terms. This blog post provides team-building strategies and curated content toward that goal.
To quote Omar Khawaja, the CISO who is pioneering FAIR at Highmark Health:
“The goal for us isn’t to use the FAIR methodology to deliver a particular risk assessment report. The goal is to create a culture that is risk-based, that isn’t always thinking there’s a gap, there’s a vulnerability, there’s a security control we haven’t purchased.” Read an interview with Omar.
So, where to begin? Invite others to discover the published FAIR material referenced below. I have found that an effective way to learn new information that challenges old assumptions is via a book club format for shared reading and discussion. This format establishes a clear roadmap of knowledge that ultimately will lead to program implementation.
Let’s explore a couple of general topics and corresponding FAIR content that your team can discuss and absorb.
Brad Agee is a RiskLens Risk Consultant
The essential domain to study and build consensus within your team is risk terminology. Successful FAIR shops understand that a standard set of risk terms, definitions, and relationships brings clarity to discussions about risk that is one of the great benefits of FAIR. You might focus first on the FAIR book and use the other references as supporting content.
Chapters 1-4 of Measuring and Managing Information Risk: A FAIR Approach by Jack Jones and Jack Freund
Jack Jones’s white paper, A Clarification of ‘Risks’?
Give your team a deeper FAIR education with the FAIR Analysis Fundamentals training course from RiskLens Academy, available with live and video instruction.
Experienced quantitative risk analysts will tell you the most critical phase in performing a risk assessment is scoping. The following content will help you understanding the elements of a risk assessment from a FAIR perspective and why the scoping process is so important. Again, I recommend you focus on the book first.
Chapters 5-6 of Measuring and Managing Information Risk: A FAIR Approach cover measurement and scoping.
Blog post How To Scope A Risk Analysis Using FAIR
A follow-up post, Assumptions in Risk Analysis Are a Powerful Thing shows how assumptions play a crucial role (for better or worse) in scoping an analysis.
Blog post How to Explain FAIR to Auditors
CISOs who have successfully launched FAIR programs started with use cases to apply cyber risk quantification that yielded high value to the business in cost/benefit terms that were clear to business stakeholders. (See this blog post: 12 Bits of Advice from FAIR Veterans to New FAIR Evangelists). RiskLens can help: We offer customized proof of value engagements led by our services team that can tackle a high -value use case or identify the top cyber risks your organization faces, in dollar terms, using the Rapid Risk Assessment capability of the platform.
Let us show you the value and flexibility of the RiskLens platform – Schedule a Demo
RiskLens is leading a revolution in the way cyber risk is assessed, measured and managed by bringing to market a Software as a Service solution that makes cyber risk quantification a reality.We help organizations translate cyber risk from the technical into the economic language of business.Schedule a Demo