Adopting FAIR - How to Convince and Convert Key Teams in Your Organization

June 26, 2019  Jeff B. Copeland

If you’re the pioneer who’s going to introduce the FAIR model and the RiskLens platform to your organization, you’ve got a great story to tell — but  you’ll need to tell it to a small village of stakeholders, each with their own points of view, agendas and standard operating procedures. Here are some tips on pitching cyber risk quantification to some key constituencies, starting with…

‘Soft Skills’ for a Successful FAIR Program Launch

Read this blog post by an experienced RiskLens Professional Services team member for ways to build the right relationships before even running your first analysis.

Steps include:

  • Hold a roadshow, introductory overviews for important audiences
  • Craft an elevator pitch, a 5-minute spiel you and your immediate team are ready to deliver in the moment
  • Start quantification in their comfort zone; At first, keep reporting on risk in the same format your colleagues know — heat maps, for instance — though the underlying analysis is now quantitative, not qualitative guesswork. For more on that, read 4 Steps to a Smarter Risk Heat Map

IT Risk Team 

FAIR concepts are logical, don’t require heavy math lifting and should be easy to grasp for risk analysts. In this blog post, we cover Three Key Competencies for an IT Risk Team that answer questions on how quantification gets done: defining a risk scenario, mapping risk to the FAIR model and gathering data for the analysis from subject matter experts.

IT Audit Team

In How to Explain FAIR to Auditors, a former auditor turned RiskLens risk consultant describes her a-ha moment realizing that   “the overarching themes from auditing are still present” in FAIR analysis, that is, assessing the degree of cyber risk related to a particular asset. But the traditional audit approach is to only consider controls around the asset  — FAIR enables a much broader view of risk.

Enterprise Risk Team

Read Introducing Cyber Risk Quantification to Your Enterprise Risk Team  - the key message here is that FAIR brings cyber risk management into the big tent of ERM by applying the same financial analysis to cyber as in other risk disciplines. Additionally, FAIR is compatible with the well-known and adopted risk management frameworks (i.e., NIST RMF, ISO 31000, COSO ERM, HITRUST, etc.).

Related topic: Chief Risk Officer’s Intro to FAIR and Information Risk Quantification

Chief Financial Officer and Other C-Suiters

With FAIR, risk and security teams can finally answer in financial terms the bottom-line questions from the C-suite such as

  • How much risk—or loss exposure–do we have, in dollar terms?
  • Are we spending too much or too little?
  • Are we focusing on the things that can reduce risk the most?
  • Should we drop some initiatives (for people or software) and double down on others?
  • Are we adequately insured for cyber risk?
  • By how much will new cybersecurity initiatives reduce risk?

Read: The CFO’s Guide to Making Sense of a Cybersecurity Budget

Chief Information Security Officer 

FAIR and cyber risk quantification shouldn’t be a hard sell to the increasingly endangered job category of CISO. The title for this article by RiskLens CEO Nick Sanna says it succinctly: Cyber Risk = Business Risk. Time for the Business-Aligned CISO. “Data breaches, ransomware and other cyber attacks causing massive reputation issues (Equifax), knocking down merger prices (Yahoo!) or interrupting operations on a global scale (the NotPetya virus victims), have elevated cybersecurity concerns from the server room to the boardroom.” Not just boards, but regulators such as the SEC are pressing Infosec managers to disclose and manage cyber risk with a financial perspective. “It’s a great opportunity for CISOs,” Nick writes, to elevate their status in the organization — if they can lift up their view of risk from a focus on patches, maturity scores and other technical terms, and become truly business-aligned.