Combining NIST CSF and FAIR to Drive Better Cyber Risk Decisions
We had a record turnout of attendees for our recent webinar "Combining NIST CSF and FAIR - Quantifying Cyber Risk to Drive Better Business Decisions." With adoption of NIST CSF approaching 50% of US organizations — and adoption of FAIR at over 30% of Fortune 1000 companies and growing — word about the synergy between these two standards is rapidly spreading.
To cover the basics:
- The two models are highly complementary and are increasingly being used by organizations to build cost-effective cyber risk management programs.
- The NIST CSF framework is a good set of cybersecurity best practices that can help organizations reduce their cyber risk exposure.
- FAIR is cyber risk quantification model that shows practitioners where to prioritize efforts among those best practices, and where to get the most return on security investments.
For some practical advice on leveraging FAIR and NIST CSF to maximum advantage, we tapped two veteran FAIR practitioners and RiskLens users:
- Ian Amit, Chief Security Officer at Cimpress, the parent company for multiple independent businesses, best known in the States for its Vistaprint unit. Ian is also President of the Board, Bsides Las Vegas, and a frequent speaker at the Black Hat and Def Con events.
- Chip Block, Vice President and Chief Solutions Architect at Converged Security Solutions, offering both cyber and physical security solutions to a wide range of government and corporate clients.
3 Tips from Ian Amit on combining NIST CSF and FAIR:
- Use NIST CSF to consistently assess the maturity of security best practices across business units — but recognize that the same score for different units doesn’t mean they have the same risk exposure. Use FAIR to quantify the risk and understand how specific threats affect specific businesses.
- Take a top-down approach to risk for the business units. Ian’s team asked business owners to identify their top 3-5 loss scenarios from a business point of view, not limited to cyber. That approach set cyber exposure in a meaningful context for business unit owners.
- Ian’s strategy at Cimpress: Take a managed security services provider approach, with a menu of services mapped to the CSF categories (identity management, access control, etc.), and delivered to the business units in customized packages, based on their risk profiles.
3 Tips from Chip Block on NIST CSF + FAIR
- For assessing the controls in NIST CISF, measure based on variances, not just discrete values. In other words, look for what causes improvement. For example, Chip ran a FAIR analysis for one client to establish a baseline loss exposure for ransomware, then ran variances using what-if analyses to see which malware protection methods yielded the biggest risk reduction. As a result, the client was able to complete a cost-benefit analysis and make a business-driven decision on which investment should be prioritized.
- Focus on threat scenarios that are core to the business. “Don’t ask the question, What is the CVE number for a vulnerability?” Chip said. Instead: “Ask the question, If we lost service on this asset for eight hours, what is the loss?”
- Don’t fall down rabbit holes. Chip warned against running down individual controls that really won’t have an impact in the final analysis. Likewise, don’t fall for complex math that tries to turn NIST CSF scores into a magical formula — “you need to understand the context of the controls and how they impact the business.”
Big lesson learned for Ian in leveraging FAIR and NIST CSF together:
“The lesson learned for us through engaging with our businesses is that this works at the CEO, managing director, and CFO level. This is something very practical to them. “That was a huge contrast to the traditional models of high-medium-low-critical, where they felt engagement with security people was just fear-mongering. “Here it’s purely a business discussion. It really required us to be able to accept risk but at the end of the day, when you’re sitting at the table with business decision makers, it’s much easier to discuss risk with a quantifiable (financially-oriented) model.”