Thinking of Doing Risk Quantification? You’re in Good Company

November 6, 2019  Jeff B. Copeland

It’s a natural question. “OK, I’ve heard about the benefits of quantifying cyber risk in financial terms with the FAIR model to prioritize security investment and understand the value proposition of risk mitigation projects.

“But if cyber risk quantification (CRQ) is so great - who else is doing it?”

The short answer is: Companies like yours. FAIR has been adopted across industries, by organizations at any level of maturity in risk management.  All that’s really required is at least one risk, security or audit analyst with a willingness to learn FAIR and engage in some critical thinking about risk – and, to automate the process, the RiskLens Platform.

But to answer more specifically the “who”, here are some specifics:

The 6,000+ members of the FAIR Institute, the non-profit dedicated to spreading the word about risk quantification. Membership includes representatives from about one-third of the Fortune 1000.

Business services companies like ADP. The risk management team at the big payroll processor has been an enthusiastic advocate for FAIR, in particular Steve Reznik, the director of operational risk. Watch this video of a talk Steve gave at the 2019 RSA Conference on “ What Makes a Good KRI? Using FAIR to Discover Meaningful Metrics”, laying out how ADP uses FAIR on an ongoing basis to measure success in its risk management program.

Industrial and materials companies like Raytheon and Scotts Scotts Miracle-Gro. See the videos of representatives from the defense company and the ag company who attended the 2018 FAIR Conference, and talked about their FAIR adoption experiences. As Jayme Toolsie from Raytheon said, “the benefit of FAIR is being able to communicate cyber risk, something that is so nebulous and intangible, in a very tangible way to the decision makers who can understand the financial implications of it in a way that they can actually make a business decision.”

The U.S. Department of Energy. Greg Sisson, deputy chief information security officer at DOE, was quoted in  FedScoop: “DOE wants to increase cybersecurity visibility across its national labs and sites…But rather than focusing on which tools to deploy, the department is first assessing the data it needs. Once DOE implements a Factor Analysis of Information Risk, or FAIR, risk-assessment model, then it can start its cloud migration pilot. Expect more federal agencies to follow DOE’s example to meet federal guidelines on running “risk-based” cybersecurity programs.

Financial companies like Bank of America, Mass Mutual, Fidelity and Fannie Mae have spoken publicly about their use of the FAIR model. Watch the video of this recent talk by Matthew R. Martin, Senior Vice President Information Security and Technology, for LPL Financial, the leading independent broker-dealer, on introducing FAIR to his company. "Everything it touches, matures,” he said. wrote that “the most commonly used approach to quantifying cyber threats among banks remains the Factor Analysis of Information Risk (FAIR) model.”

Healthcare companies like Highmark Health, the national health and wellness services organization. Highmark CISO Omar Khawaja recently told Healthcare Innovations that the cliche may be “you cannot measure ROI on security but…that’s a pessimistic viewpoint, and in reality, there is significant value in trying to quantify cyber risk…It takes time for people to be willing to stand up to those truisms.”

Customers of the leading GRC software and security and risk consulting firms. RSA, Rsam, Protiviti, Wipro, CBIZ, TUV Rheinland OpenSky and PwC Australia all offer FAIR risk analysis through partnerships with RiskLens.

And many more… Read our case studies for examples of FAIR in use at more companies in manufacturing, retail, healthcare, finance and technology.