Warning: Potential (Happy) Side Effects to Implementing FAIR™

December 12, 2019  Taylor Maze

We’ve seen it happen: IT risk analysts who get trained on the FAIR model for cyber risk quantification, and spread the word to their internal clients, stakeholders, managers and even up to the board of directors, experience sudden feelings of accomplishment, moments of insight and clarity and general heightening of self-esteem following rounds of thank-you’s from their organizations. We think it’s due to these properties of FAIR, especially when applied through the RiskLens platform:

  • Gives direction for purposeful gathering of relevant data for risk analyses from subject matter experts in the organization – no wasting of anybody’s time or good will.
  • Provides a structure for critical thinking about risk, focusing mental energy on actual loss events with impact on the organization, not vague threats like “the cloud” or “passwords.”
  • Yields results on risk as a range of probable outcomes in dollar cost terms instantly understandable by anyone in the organization.

Consistent use of the FAIR methodology in cyber risk analytics can also lead to these long-term side effects:

Improved Job Satisfaction for IT Risk Analysts

Right now, half of the organization communicates risk in high/medium/low. But each individual group has a different definition for those classifications. Then there is a side of the organization which communicates risk based on a 5- level scale that –you guessed it– is defined differently than the other scales in the organization. Oh, and then there’s the Board, who wants to make decisions based on economic value (i.e. dollars and cents). And you’re in the middle of all of this.

By implementing the FAIR model, you will be introducing a standard risk language across your organization, dollars and cents, improving communication with other teams, and better yet, ending the frustration of pointless arguments over which risks are truly high or low, based on opinion and guesswork, not shared definitions of the factors that go into risk. Better communication leads to getting more done – and deriving more satisfaction from your job as a risk analyst.

Better Relationship with Your Boss 

By implementing the FAIR model, you will gain additional insight into your risk environment. This additional insight will allow you measure real world risks in financial terms so you can provide your boss with data driven reporting. By providing your boss with data driven reporting you are giving him/her the means to make informed, risk-based decisions. Your boss can in turn point to a quantitative, rigorous, defensible model behind your risk analysis when presenting to the rest of the organization, looking smarter and ultimately respecting you more. 

Development of Expert Support System 

When you implement the FAIR model (or even if you’re just considering FAIR), you can join the FAIR Institute, an expert, non-profit organization led by Chief Information Risk Officers, CISOs and business executives to develop standard information risk management knowledge and operational best practices based on FAIR. They share their collective wisdom through discussion boards, online webcasts and the annual FAIR Conference. These are all people who are going through the same process you are and can provide insight and feedback—plus professional connections. Long term effects include new friends, skills and knowledge growth and, who knows, maybe a better job with even better job satisfaction.