FAIR Helps Technology Business Management Shops Manage Cybersecurity

January 18, 2019  Nicola (Nick) Sanna

In the past few years, many CIOs in large enterprises and government organizations got a seat at the business table as they positioned themselves as business enablers rather than mere IT caretakers. The emergence of new disciplines such as Technology Business Management ( TBM) helped these CIOs better align themselves with business strategies and manage IT from the business value versus the technical perspective.

Yet, for many, there was still one large IT discipline that was considered too complicated to provide good value indicators that everybody, from IT to the business and the board, would understand: cybersecurity.

Fortunately, the development of new standard models such as Factor Analysis of Information Risk ( FAIR) to evaluate the bottom-line impact of cybersecurity events and of risk mitigation initiatives have removed that barrier. Many organizations that have adopted TBM are now looking at FAIR as a way to extend cost-effective decision-making and business-aligned reporting to the discipline of cybersecurity.

Managing IT Like a Business

The promise of TBM is to enable CIOs to translate IT into business value terms, so that executives can effectively decide on technology options and new investments to improve business outcomes, customer engagement and competitiveness. A standard taxonomy and set of best TBM practices have been developed under the auspices of the TBM Council.

Some of the core tenets of TBM include:

  • Positioning for Value: Defining deliverables in terms of business capabilities.
  • Cost-transparency: Communicating cost and consumption to the business to drive informed trade-off decisions.
  • Delivering Value for Money: Measuring cost-effectiveness of IT service provided.
  • Planning and Governance: Aligning budgets and resources to strategic business imperatives.
  • Enabling the Right Value Conversations: Optimizing portfolios and investments to deliver the most value.

How does cybersecurity fit in this picture? Keep reading...

Cyber Risk = Business Risk

While CIOs are driving the rapid digitalization of business processes to enable phenomenal efficiencies and growth, this also brings a new range of technology risks that need to be understood and managed.

  • The impact of cyber threats is no longer limited to IT. The potential and the actual damages to the business have increased to the point where they are impacting the bottom line and have become a source of major concern for most business executives and corporate boards.
  • There has been little financial accountability for cybersecurity. Most often, cybersecurity has been treated as a technical concern and simple business questions such as "Are we doing enough?", "Are we focusing on the most important issues?" or "Are we spending too much or too little?" get unsatisfactory responses or none at all.
  • There is no such thing as perfect security. It's all about balancing the digital opportunities with the associated risk and achieving a sustainable risk posture.

Integrating Cybersecurity as Part of Your TBM Strategy

It is not coincidental then, that a standard methodology for quantifying and managing cyber risk in any organization was being developed in parallel to TBM. FAIR provides a  standard risk taxonomy as well as a model for understanding, analyzing and quantifying information risk in financial terms. Unlike traditional risk assessment frameworks that focus their output on qualitative and highly subjective color charts or numerical weighted scales, FAIR builds a foundation for developing an economics-driven approach to cyber risk management.

Organizations implement FAIR with the help of purpose-built solutions such as RiskLens to:

  • Articulate cyber risk in a language that everyone understands: dollars and cents.
  • Prioritize risk mitigation initiatives based on business impact.
  • Calculate the ROI of cybersecurity initiatives via cost/benefit analysis.
  • Efficiently meet cyber regulations, by focusing first on the issues that matter the most.
  • Add an economic dimension to risk frameworks such as NIST CSF and ISO 2700x.

See now why many organizations that have adopted TBM are turning to FAIR as a model for integrating cybersecurity into their TBM strategy? Quantifying cyber risk in financial terms enables the same level of business-aligned and data-driven decision making that is core to TBM.

Cyber risk economics is here and organizations such as ADP, Bank of America and HPE are leveraging both TBM and FAIR for managing IT and cybersecurity from the business perspective.

FAIR is an international standard by The Open Group, a global standards consortium sponsored by over 500 large enterprises and government and academic institutions and is supported by an expert organization and large community called the FAIR Institute.

Resources to learn more about FAIR include an award-winning book ("Measuring and Managing Information Risk: A FAIR Approach") and an acclaimed training program and certification process.


RiskLens is a Strategic Sponsor of the TBM Conference 2017. If you are interested in learning more, representatives will be at hand at the RiskLens booth in the Sponsor Networking Pavillion.