NIST Cites RiskLens Platform User Cimpress for FAIR-NIST CSF “Success Story”

By Jeff B. Copeland | September 10, 2019


The National Institute of Standards and Technology (NIST), keeper of the Cybersecurity Framework (NIST CSF) widely used by US businesses and mandatory for federal agencies, has published a case study of a “success story” integration of NIST CSF and the FAIR model by Cimpress, the international printing company, and a user of the RiskLens Platform (powered by FAIR).

The case study Success Story: Cimpress-FAIR on the NIST CSF website, outlines how Cimpress combined “the qualitative approach of the CSF with quantitative risk analysis based on the FAIR (Factor Analysis of Information Risk) model.”

Cimpress created maturity scores for how well the controls recommended by the CSF are implemented across its 17 decentralized business units, then used FAIR analysis to make sure that controls were relevant to loss scenarios for each unit so “the risk management staff could more clearly see how investing in increasing maturity would impact the expected losses related to each scenario. That turned the process into a highly measurable one that can be more easily justified in terms of budget allocation and risk tolerance.”

Combining the NIST CSF and the FAIR model (with its standardized terminology for analyzing risk) means Cimpress can “easily identify improvement areas for each business” and at the same time “enable self-reporting/assessment with minimal need for security expertise.”

Cimpress Chief Security Officer Ian Amit recently gave RiskLens clients a briefing with detail on how he implemented the dual CSF-FAIR program, and how he plans to use the RiskLens Platform to automate and expand the process – listen to the discussion in this webinar.  If you’re attending the FAIR Institute’s 2019 FAIR Conference, September 24-25, at National Harbor, MD, near Washington, DC, you can also hear Amit and Kevin Stine, Chief of the Applied Cybersecurity Division at NIST, in a panel discussion on “Building a Cybersecurity Program with a Risk Management Framework & FAIR.”

FAIR is the international standard for cyber risk quantification. More than 6,000 FAIR practitioners are members of the FAIR Institute, including representatives from over 30% of the Fortune 1000. The Institute was recently honored by SC Media as one of the three "Most Important Industry Organizations of the Last 30 Years".  RiskLens is the technical adviser to the Institute.