How to Manage a Cybersecurity Program with NIST CSF and FAIR

January 25, 2019  Jeff B. Copeland

Ian Amit faces a complex management problem as Chief Security Officer at Cimpress, the parent company for multiple independent businesses: Each unit chooses and operates its own technical stack and security and risk management in a “shared security responsibility” model. How to lead from behind?

As Amit describes in an article for Forbes Technology Council, Two Frameworks for Securing a Decentralized Enterprise, he breaks the security organization’s main tasks down to two

  • “Providing clear and transparent metrics for security maturity and
  • “Providing a means for measuring (really, this means quantifying) risk in a way that supports decision making around changing controls.”

Amit’s solution:

  • NIST CSF for communication on maturity.

“This baselining allows businesses to better align themselves with existing policies (which are translated to the minimal required maturity levels) and map out their tactical security gaps.”


With its quantified analysis output, FAIR brings “immediate buy-in from business leaders while providing them with means of making informed decisions about their risks…At this point, we’ve turned security and risk management into a business problem that’s more ‘easily’ solved through financial measurements of recommended changes and their impact on previously expected losses.”

FAIR also shows the way to “prioritize these tasks of closing maturity level gaps” to make NIST CSF analysis actionable based on potential risk reduction, Amit writes.

Like Cimpress, many security organizations are discovering that FAIR analysis picks up where the NIST CSF process leaves off.  For some concrete examples of how that’s done, read our blog posts  How NIST CSF and the FAIR Risk Model Are Complementary and  Adding Dollars and Cents to Your NIST CSF Reporting.

And for a deep dive into leveraging the leading cybersecurity maturity framework with the leading cybersecurity risk analysis model together, read the 5-part series by FAIR creator Jack Jones,  NIST CSFT & FAIR, on the FAIR Institute blog.

The  FAIR model that powers the  RiskLens application is the only international standard quantitative model for cyber security and operational risk. Unlike risk assessment standards that focus their output on qualitative color charts or numerical weighted scales, the FAIR model specializes in financially derived results tailored for enterprise risk management.

The FAIR Institute has over 11,000 members sharing information on use of the FAIR approach to risk. Leading technology analyst firm Gartner  identified risk quantification as a critical capability for any effective cyber risk management program.

Bring risk quantification to your organization – get FAIR training from the  RiskLens Academy online or on site.