At the most recent meeting of the San Francisco Bay Area Chapter of the FAIR Institute, a group of local practitioners, analysts and C-level executives gathered for a panel discussion on the Factor Analysis of Information Risk (FAIR) methodology. The discussion was hosted by Protiviti, which recently joined the FAIR Institute community as a Founding Sponsor in Advisory Services. We have written previously about FAIR and welcomed this opportunity to facilitate further conversations.
The panel consisted of Jack Freund, Director of Risk Science at RiskLens and co-author of Measuring and Managing Information Risk: A FAIR Approach; Evan Wheeler, VP of Risk Management, CISO at Financial Engines, and author of Security Risk Management: Building an Information Security Risk Management Program from the Ground Up; and Vince Dasta, a leader of Protiviti’s Cyber Risk Quantification solutions and service offerings. Tyanna Smith moderated the discussion.
The FAIR methodology has changed the way cyber experts think and speak about risk in a threat environment where they are faced with uncertainty daily. The attendees came together with one common goal – to understand how to better evaluate the cyber risks their organizations are faced with and deliver meaningful and actionable reporting on these risks.
Most panel discussions require some amount of encouragement to solicit questions from the audience and maximize the panel’s expertise. This discussion was far from needing encouragement. Attendees showed active interest in anything from adopting FAIR, to the shortage of FAIR analysts, to the need for continuity and support from the C-suite to take full advantage of the methodology’s benefits.
Below are key takeaways from the discussion on how to go about implementing FAIR:
- Take baby steps – Often, when implementing a new program or process in an organization, people want to get to the end state as quickly as possible. However, making incremental but impactful changes may be more effective. For example, conducting a FAIR analysis for security policy exception requests enables buy-in and additional support from stakeholders who can see more immediate results without redesigning the entire risk management program.
- Take a “piggyback” approach – When an initiative or project is in place, find where the risk analysis can deliver the most impact and present the results within the project. Socializing FAIR risk analysis through existing projects is often the easiest and most palatable approach to socialization and adoption of the method.
- Take a phased approach – When rolling out a program, find what will be most impactful and gradually initiate each of the steps below to help gain support and understanding for FAIR.
- Translate your risk register into FAIR statements/scenarios and prioritize them through a rapid, high-level quantitative analysis.
- Quantify key aspects tied to the key revenue-generating business processes.
- Show the benefit of presenting risk in dollars and cents. Present not only the ROI of implementing a control, but also the impact of the program within the organization; whether it’s disaster recovery, optimization, or positive revenue to the business – all are factors of the program’s ROI.
- Find allies – People accustomed to traditional risk analysis throughout the organization may see this new form of risk management as a threat; however, your work can actually lead to proving the net worth of the program to a line of business or job function. Emphasize to the process or business owners that you are there to learn about the business in order to show how vital each person, system or control is.
The panel discussion was an excellent preparation for the FAIR Conference coming up next month, where Protiviti is a sponsor. This year, the year of adoption, is going to be the best one yet.