ISACA: FAIR Solves the Communication Gap Between CISOs and Boards

Board of Directors - ISACA Recommends FAIR for Board Reporting on Cyber RiskA new white paper from ISACA, the leading IT training and education organization, makes a compelling case for Factor Analysis of Information Risk (FAIR™), the risk quantification standard that powers the RiskLens platform, as the communication tool of choice for CISOs and other IT and security professionals for presenting on cyber risk to the board.


Download the (free) ISACA white paper: Reporting Cybersecurity Risk to the Board of Directors


“The more a risk-management measurement resembles the financial statements and income projections that the board typically sees, the easier it is for board members to manage cybersecurity risk,” ISACA writes. “…FAIR can enable the economic representation of cybersecurity risk that is sorely missing in the boardroom, but can illuminate cybersecurity exposure.”

ISACA identifies the key communication gap between boards, operating at the highest strategic levels of the enterprise, and CISOs, day-to-day involved at the tactical level of cybersecurity. “To build out these connections between the highest and lowest levels of an enterprise requires the decomposition of high-level board concerns into technologically relevant (and measurable) scenarios.”


Get trained in FAIR through the RiskLens Academy


ISACA recommends starting with Basel II categories of loss, decomposing those to business scenarios then breaking those down to IT risk scenarios (as seen in this chart from the white paper):

It’s exactly the start of the FAIR analysis process. The white paper explains the next steps in FAIR (adding data for magnitude of probable loss, resistance strength of controls, etc.), then inputting to a Monte Carlo simulation to create an overall loss distribution model – all of these functions are automated in the RiskLens platform.

“It is not feasible to escalate all of [the risk scenarios] to the board,” ISACA says. “Instead, the strategy should be to choose exemplar scenarios to represent each aggregate category. A good way to present these scenarios and metrics to executives is through a dashboard.”

RiskLens clients do in fact build dashboards for board presentation, using the highly flexible reporting on the platform to:

>>identify and prioritize among top risks with Rapid Risk Assessment

>>aggregate and compare risks across business units or by asset types or threat communities

>>show risk trends over time, plotted against risk appetite

>>show the probable effect on risk reduction of security initiatives (with the Risk Treatment Analysis capability).

And – music to a CISO’s ears – the white paper includes a section on justifying security budgets to the board. Beware the standard practice of apportioning security spending as a percentage of IT budget, ISACA says. Instead, use risk quantification to draw “a straight line from loss exposure…to the systems supporting the products and services, and to the compromised technological controls that are causing this excess loss exposure… [Also], it is important that the loss amount (quantitatively) shows a reduction after the money is allocated, controls are implemented, and assessments are updated, in a subsequent board report.”


Download the (free) ISACA white paper: Reporting Cybersecurity Risk to the Board of Directors

Let's Talk about Your Cyber Risk in Business Terms

RiskLens is leading a revolution in the way cyber risk is assessed, measured and managed by bringing to market a Software as a Service solution that makes cyber risk quantification a reality.We help organizations translate cyber risk from the technical into the economic language of business.

Schedule a Demo