Introducing an organization to the FAIR model, to an outlook that’s risk-centric instead of compliance-centric, and to the tools for risk quantification – it’s not just a process change, it’s a culture change. “For people who haven’t been through this drill, I think the cultural dimension is underappreciated until you are in the midst of the changes,” said FAIR author and RiskLens Co-Founder Jack Jones.
Jones led a panel on “Effectively Leveraging FAIR to Reset Your Risk Management Program” at the recent FAIR Conference 2017 in Dallas. On the panel were three veterans of FAIR-based resets at large organizations:
Here are their three key bits of advice for any FAIR evangelists, seeking to change established mindsets on information and technology risk analysis and management:
“Cyber risk is not the special snowflake that cybersecurity people would like to say it is,” said Joel Baese, something that can’t be measured – but that’s a common objection the panelists said they hear.
“The perspective I try to bring is that there’s a whole other discipline called risk. We don’t need to reinvent it” for cyber. “It’s been done for a long time before IT came around and it applies here.”
One culture-change obstacle – the heat map or other red/amber/green risk rating devices, based on qualitative distinctions among risks. FAIR expresses risk as probabilities along a scale, which requires thinking in numbers, not colors.
The advice of this panel was: Don’t fight the colors. When discussing the top risk themes around Chevron, said Carl Conrad, “we convert it back to a red/yellow/green so they don’t see the numbers. But what goes into developing the stoplight is FAIR; that’s the information underneath.”
Jack Jones added: “Some executives really want to see the numbers, others only want to know what they should be worried about. But they all want to know that there’s meat under there.”
Resistance to measuring risk has some deeper roots in IT culture, however, panelists agreed. For a long time, cybersecurity folks have argued that “the wolf is at the door” in the threat landscape, said Baese. “They’re huffing and puffing and, oh my gosh, here’s a blank check” from management. “Then here we come and say here’s what the probability shows what the annual loss exposure is, and it’s not going to cause us to shutter the place. It does take away a bit of their power.”
“I’ve tried to overcome those obstacles by relating it to insurance. If you’re working in a true risk profession, you expect loss and you prepare for it. As the security folks say, it’s not if but when. So, OK, let’s prepare for it.”
You’ll know your FAIR introduction has been successful when it’s embedded in the standard processes by which your organization operates, said Drew Simonis. So his advice is to start from the ground up on governance; “if you think of all the steps you have to go through to get things codified”, that’s where the key discussions are going to occur.
At Chevron, FAIR implementation rode along with creation of a “cybersecurity cross-functional leadership team,” said Conrad.
“We’re taking representatives from the business who are not security professionals that come together, hear what security has to say and make sure those decisions get cascaded back into their organizations. As part of that process we bring our top risk themes into the discussion.”
“With that agreement across the organization on what the top risk is, then that feeds into our cybersecurity strategy and then for our planning, the real meat of is, we are allocating money based on the analysis that we are doing up front.”
Of course, a key community to win over in the organization are the owners of compliance, who may also resist a risk-based approach. Conrad’s advice on how to handle:
“A key part is realizing that compliance processes have to be in place, they have to work and when you are making your risk-based decisions, you are dropping some compliance requirements but in other areas you are recognizing risk and increasing those requirements. To make those decisions and trade-offs you need better information” – that FAIR provides.
You’ll know you’re winning when stakeholders seek out the FAIR-powered risk team for input on decisions, said Simonis.
“There’s a difference between them doing the process because they have to vs. them getting real value in return for that engagement, where they come us saying ‘I have a couple paths I have to take, help me decide which has the most manageable risk for the company…and they do that because they want to. That to me would be a real success.”
The panelists agreed that FAIR pioneers should hold a “marketing” tour to explain the new risk model to stakeholders. “The beauty of FAIR is that it opens up the risk management discipline to people who are not steeped in it because it is so transparent and so easy to grasp,” said Simonis.
Once you get the basics across, said Conrad, “the neat thing about about FAIR is it creates visibility on assumptions and if you don’t agree with the assumptions now you have something you can argue about. And you can adjust those assumptions.
“When they buy in to the assumptions, they buy in to the numbers. Then they’re more comfortable when the results are different from what they had been assuming for a long time.”
Some final advice from Jack Jones on handling the social side of FAIR evangelism: “Think of rallying people to a common set of objectives rather than trying to be prescriptive and force people to see the world through your lens.”