Increasingly, I hear this question from clients: I’m sold on the value of risk quantification and the transformative power of cyber risk economics – but how do I sell this new message to my board of directors?
Now I have a ready answer: The FAIR Institute has partnered with CyberVista, the leading cybersecurity education and workforce development company, on a cyber risk curriculum for board directors, as part of CyberVista’s Resolve Board and Executive Cybersecurity Training.
FAIR is the quantitative risk analysis model that powers the RiskLens application and RiskLens is the technical adviser to the FAIR Institute, a 3,000-member non-profit group that promotes education on cyber risk quantification (the annual FAIR Conference is coming up on October 16 at Carnegie Mellon in Pittsburgh). RiskLens’ training lead, David Musselwhite worked with CyberVista to develop the FAIR training component.
Steve Tabacek is Co-Founder and President of RiskLens
CyberVista CEO Amjed Saffarini said “We aligned our curriculum with the FAIR Institute as we share the vision to align risk leaders with business leaders. This critical conversation is not happening in most board rooms.”
I couldn’t agree more. For too long, directors have settled for less from information and technology risk management than they expect from the rest of enterprise risk management, namely to identify the highest loss exposure scenarios in financial terms and cost efficiently prioritize mitigation options.
Instead, boards have been mis-educated to think that cyber risk cannot be measured like other forms of enterprise risk. They are accustomed to a strong focus on threat and vulnerability statistics and cyber risk being represented has high-medium-low, red-yellow-green, or some qualitative way of expressing control efficacy with industry standard cyber control frameworks such as NIST or ISO.
But that limitation increasingly leaves boards in the lurch, for instance, as regulators hold directors responsible for financial disclosure of cybersecurity risk – see the recent guidance from the SEC or the New York Department of Financial Services regulations.
The FAIR model for financial analysis of cyber risk is the answer, this new program from CyberVista will make it more widely available to a board-level audience—and board members should welcome it. Learn more about CyberVista board training.
Gartner endorses risk quantification as one of the five pillars of cybersecurity risk management.