The National Institute of Standards and Technology recently added the FAIR model to its Cybersecurity Framework (NIST CSF) compilation of best practices in an important recognition that good cybersecurity starts with a quantifiable risk assessment, not just a checklist of recommended controls. This is a long time coming but an expected outcome given that many organizations are already combining NIST CSF and FAIR to drive better security outcomes. Take for example the work done by Ian Amit (title, company affiliation) and his team which was highlighted in a RiskLens webinar a short time back/was the focus of a presentation at the recent FAIR Institute Conference (link to webinar)
But how should you think about combining FAIR and NIST CSF in your organization?
We asked Dr. Jack Freund, who worked closely with NIST to write the FAIR portions of the CSF standard for risk analysis and risk management, to give us a quick take on how to understand the combination of NIST CSF and FAIR. Many are often confused by thinking they should adopt one over the other – but the primary takeaway should be that these are complimentary frameworks that work very well when combined.
We also asked Jack to give three actionable tips on how to harness the combined power of NIST CSF and FAIR. Jack is Risk Science Director for RiskLens and co-author of the FAIR book, Measuring and Managing Information Risk.
Listen to the two audio clips or read the transcripts below.
The RiskLens Platform is the only application purpose-built on the FAIR model and with the participation of Jack Jones, creator of FAIR. RiskLens is the technical adviser to the FAIR Institute and the leading trainer of FAIR analysts. More than 6,000 risk professionals are members of the FAIR Institute, representing about one-third of the Fortune 1000.
Implementing NIST CSF? Read This First (FAIR Institute)
I think there are three points that are useful to take home from this.
The first is, the NIST CSF is a framework for cybersecurity and with all frameworks, there are areas which need to be fleshed out to a greater degree.
So, the mapping of NIST CSF to FAIR acknowledges that there is more depth to the risk analysis and assessment processes (called out by NIST CSF) than NIST CSF offers.
And that’s great news because it gives you the opportunity to use a framework that your organization wants to do like NIST CSF, as well as a complementary framework like FAIR which gives you the opportunity to really delve deep into articulating risk for your organization.
The second point I’d like to make is that FAIR itself actually needs a good controls catalog – the FAIR standard alone does not articulate all the various and sundry controls you might put in place in your organization. So, FAIR, like NIST CSF, needs a complementary standard in order to be able to fully recognize the value of it.
And the third thing I’d mention is that the priority of FAIR is to help an organization understand and prioritize risk responses and make sure that important things are bubbled up through the organization. That’s the same goal of the NIST CSF framework as well – to provide a reasonable amount of security controls based upon the organization’s risk profile.
So, these two standards are really greatly matched in their ability to complement each other and provide value for organizations
Q: Give us some examples in a practical sense of how people can use this new combination?
If you look at RA 5 in the NIST CSF, it tells you to use threats, vulnerabilities, likelihood and impacts to determine risk. But it doesn’t give you the details on how to do that – and that’s where FAIR comes in.
FAIR tells you how to go about scoping a risk assessment to make sure you are assessing a risk scenario that has loss in it – and understand what the asset at risk is, what the threat communities are, and what are the controls that are helping to protect that asset. NIST tells you broadly to make sure you uses these things to assess risk – the specific way you need to combine those is spelled out in FAIR.
What’s more, in the RA 6 section, the responses to that risk assessment are identified and prioritized. This is where a lot of risk assessment methodologies fall down by using qualitative results:
Everything’s a red-yellow-green, and when everything is red, it’s hard to determine between them which is the more important thing. If everything’s important, nothing is important. FAIR gives you the quantitative value to be able to truly prioritize those risk responses.
One last thing that’s really interesting: There is a section in the NIST CSF that talks about making sure you understand risk constraints and tolerances – and use them to support operational risk decision making. This is where FAIR really shines. The ability to assess tolerance for loss in FAIR is second to none – and there you see that it has this ability to say, we have specific risk appetite or tolerance levels that you can draw a line on a graph with, and say things beyond this are not OK and things below this are OK.
So, that kind of quantitative risk appetite level can be done in FAIR and NIST CSF calls out for that.
Q: Many organizations use the NIST CSF as a model to gauge their progress. Is a combination with FAIR an advancement over that?
A: I think both are necessary in different ways. If you want to know how mature you are, I think those kind of models are great. But if you want to be able to answer the questions that NIST CSF is asking you to (i.e, using the risk assessment to support operational risk decisions) the tool set to do that is not spelled out in NIST CSF. So, you have to go to FAIR to find the right way to talk about tolerances, and appetite, and loss, and prioritizing risks.
So, you get both in there: You get the opportunity to manage risk to the organization’s profile the way that they want you to, as well as reflecting operational maturity in your control programs.
RiskLens is leading a revolution in the way cyber risk is assessed, measured and managed by bringing to market a Software as a Service solution that makes cyber risk quantification a reality.
We help organizations translate cyber risk from the technical into the economic language of business.