As more organizations begin to adopt cyber risk quantification (CRQ) techniques to complement their existing risk management functions, renewed attention is being brought to how organizations can invest in CRQ in the most cost-effective ways. The Factor Analysis of Information Risk (FAIR) methodology remains the most widely accepted industry standard for CRQ and organizations continue to seek out the best ways to implement the methodology. The ultimate goal for our clients in using the methodology is to effectively communicate results to their organization enabling more sound decision making.
Addressing those questions head-on, the FAIR Institute selected “scale” as the theme of FAIRCON22, held recently in Washington, D.C. The FAIR Institute is an expert nonprofit organization dedicated to the discipline of measuring and managing information risk and led by information risk officers, chief information security officers (CISOs) and business executives. As of 2020 (last publicly available release), the FAIR Institute’s membership is represented by 118 countries and over 40% of Fortune 500 companies.
We share below some of our key takeaways from the conference and some highlighted presentations.
Scale has been the ultimate challenge with the FAIR methodology to date, and we thinkProtiviti agrees the theme of scale appropriately reflects the challenges many organizations are facing. Many security practitioners have attempted to use FAIR as a replacement for other risk assessment processes which FAIR was never intended to replace. This had garnered some reasonable criticism that the model is difficult to scale – but that is less an indictment of the model than it is an expression of the industry’s need to change the way we all think about risk, and the tools we should be using to quantify it. The theme of scale was highlighted by Protiviti during our panel on day two of the conference; read more in detail from that panel below (see Scaling a Quantitative Risk Management Program).
Originally introduced at FAIRCON21, the FAIR Control Analytics Model (FAIR-CAM™) made regular appearances in sessions this year. From those sessions, it was clear that we are still early in the process of determining how organizations can effectively utilize this model. FAIR-CAM is an early building block that is a necessary tool in figuring out what data we need, and how to more consistently apply it to cyber risk scenarios. FAIR-CAM can ultimately achieve better scale in a way that is defensible (see below, Cyber Risk Model Governance), but is early in its maturity and needs continued industry investment to realize its full potential.
Communicating with the board
One of the underlying themes of the conference was how to better communicate cyber risk to an organization’s executives and board of directors. The origins of FAIR, after all, are rooted in enabling more effective decision making.
A panel discussion on day two of the conference highlighted this challenge and discussed how communicating cyber risk to the Board is changing. The panel discussed the recent report from the NACD, World Economic Forum, and Internet Security Alliance, and other partners, titled Principles for Board Governance of Cyber Risk. This paper highlights the six principles for board governance of cyber risk, which the panel discussed, and which are outlined below:
- Cybersecurity is a strategic business enabler.
- Understand the user of economic drivers and the impact of cyber risk.
- Align cyber-risk management with business needs.
- Ensure organizational design supports cybersecurity.
- Incorporate cybersecurity expertise into board governance.
- Encourage systemic resilience and collaboration.
In addition, this session and others highlighted the importance of using FAIR to define and support risk appetite and tolerance. On the panel was the Associate CISO of KU Health, Michael Meis, who provided guidance on using FAIR in the context of interpreting an organization’s risk appetite and tolerance.For some examples of how to effectively use FAIR in setting risk appetite and tolerance statements, check out Protiviti’s prior blog post at the FAIR Institute’s blog, Cyber Risk Management: Establishing a Blueprint with FAIR.
Cyber risk model governance
Many sessions focused on the importance of not only quantifying risk but doing so in an open and repeatable manner. From the keynote presented by Jack Jones, FAIR model creator and FAIR Institute Chairman, to Senior Cybersecurity Specialist with the U.S. Federal Reserve Matthew Tolbert’s session Trends in Determining Systemic Cyber Risk for the Financial Services Industry, the level of trust In FAIR as a model was a key theme. This is no surprise as many security vendors are working rapidly to incorporate risk quantification into their tools – but caveat emptor (or buyer beware) as many of the industry approaches being developed are closed models or may rely on inaccurate or incomplete methods. FAIR is open-source and trusted, and while we cannot truly eliminate subjectivity, FAIR provides a way to acknowledge and express that subjectivity, while other methods generally do not. Regulators appear to be aware of this risk, and several sessions pointed out that more regulators are asking questions about cyber risk scoring models and challenging their underlying assumptions. FAIR is trusted because it provides a mechanism to perform risk analyses with clearly documented assumptions that can be challenged and vetted by executive leaders.
Highlights from Protiviti’s panels
Panel: Scaling a Quantitative Risk Management Program – Protiviti led a panel moderated by Andy Retrum, Managing Director and including Tim Kelly, Senior Manager – Security and Privacy at Protiviti and one of the authors of this blog; David Severski, Senior Security Data Scientist at the Cyentia Institute; and Brenda Thayer, Senior Risk Manager at Fannie Mae. This discussion focused on some of the core building blocks required to scale a quantitative risk management program.
One key challenge discussed by the panelists was the dependence that quantitative risk programs can have on FAIR champions. The panel considered how regular reporting on emerging cybersecurity issues was a useful way to make quantitative outputs relevant in discussions with senior leadership and the board. If FAIR is seen as a tool for better decision-making, broader adoption and integration will follow.
Panel: Mapping Leading Control Frameworks to FAIR-CAM – Capping off the day was a much-anticipated panel on FAIR-CAM and control mapping. Protiviti’s Daniel Stone (also an author of this blog) was a participant on this panel, moderated by Jack Jones and including Erin Macuga, Manager Risk and Information Security at Thrivent Financial; Robert Immella, Global Leader of Cyber Risk Quantification at Caterpillar Inc.; Tyler Britton, Quantitative Cyber Risk Manager at Dropbox; and Drew Brown, Information Security Developer at the Federal Aviation Administration.
The panelists discussed their experiences mapping several leading control frameworks (i.e., NIST 800-53, CIS, and ISO 27000 series controls) to the FAIR-CAM model. Unique challenges were shared but the consensus was that existing control frameworks were not adequately designed to help organizations effectively address risk and that the industry needs to do more to rectify this. In the discussion, Stone summarized the current state of FAIR-CAM by saying that while FAIR-CAM provides a recipe for putting the ingredients together, those controls sometimes have no real relation to each other. He added that there needs to be more research done on control efficacy to truly operationalize FAIR-CAM.
While scale was a key theme of the conference, we found the other key takeaways of communicating with boards and cyber risk model governance are instrumental in achieving scale goals. Scaling an effective cyber risk quantification program is only achievable when the outputs are trusted and thoroughly vetted, and an organization’s board and executive management understand the purpose of quantifying cyber risk. FAIR and FAIR-CAM are valuable models in achieving this goal. Protiviti has built successful risk quantification programs for a wide variety of organizations, and the organizations that prioritize involving the board and executive management in the risk analysis process upfront are, without a doubt, the most successful.