Jon Oltsik in CSO Online: Survey Shows CISOs Must Embrace New Methods Like FAIR

Jon Oltsik quote: "CISOs need a business mindset here by working with executive teams to protect the right assets at the right time in a cost-effective way."Enterprise Strategy Group (ESG), the enterprise IT consultancy, recently asked IT and business executives to identify the most important cyber risk metrics for corporate leaders and board directors and the “top four business-side priorities illustrate the gulf between business needs and technical capabilities” writes Jon Oltsik, ESG’s senior principal analyst for cybersecurity in a new article for CSO Online, “Cyber risk management: There’s a disconnect between business and security teams.”

The findings from the survey, Oltsik writes:

  • 39% “say they want security status reports related to major IT and business initiatives.”
  • 36% indicated they want “frequent updates that help guide timely risk mitigation decisions.”
  • 36% want vulnerability reporting only on mission critical assets, to help in prioritizing mitigation.
  • 35% want “more detail about ROI on security spending…so organizations can fine-tune budgets.”

Most CISOs don’t have “the processes or metrics to remotely satisfy this need,” Oltsik writes. “The cyber risk management gap represents a high-priority problem that needs immediate attention. CISOs must embrace new tools and cyber risk management methodologies like Factor Analysis of Information Risk (FAIR).”

As the only cyber risk analytics platform built on FAIR, the international standard for cyber risk quantification, RiskLens is already enabling CISOs to report on risk with what Oltsik calls “a business mindset.”

With RiskLens, financially based cyber risk reporting gets done on just the lines that the ESG survey respondents want to see:

  • Identifying cyber risks for major IT and business initiatives by running ‘what if’ scenarios
  • Rapidly running analyses to guide timely risk mitigation decisions.
  • Identifying vulnerabilities based on actual risk analysis, not technical vulnerability scans.
  • Clearly demonstrating ROI by showing probable loss reduction in dollars.

CISOs need to “work with executive teams to protect the right assets at the right time in a cost-effective way,” Oltsik sums up. Agreed.

Read Oltsik’s article “Cyber risk management: There’s a disconnect between business and security team.”


More recognition for FAIR: The SANS CIS Controls poster now includes the FAIR model as part of the Five Keys for Building a Cybersecurity Program. The SANS Institute is also offering a FAIR training course.