With the recent Colonial Pipeline attack, measuring risk is on everyone’s minds. However, quantifying risk is often not an easy thing. There are so many factors that go into determining and measuring risk that it makes it difficult to pin any one thing down, especially in large enterprises.
However, without a method to balance security and operational risk against cybersecurity threats, many companies are flying blind when weeding out threats and vulnerabilities in their systems. Organizations are starting to understand that threat event frequency is starting to increase in the face of the pandemic and the large number of digital transformation initiatives it spurred.
What is FAIR?
FAIR (Factor Analysis of Information Risk) is a model that breaks down different aspects of risk and monetizes the elements. Allowing security teams to break down the factors and relationships between risk factors lets companies gain a broader insight into how risk is addressed and where the gaps may be. Ultimately, FAIR assigns a monetary value to risk factors, successfully defining risk in a business context.
This newer way to frame risk is important because it allows businesses to translate cyber risk into a business context and create a narrative that will help get executive buy-in on cybersecurity initiatives. It will enable CISO’s to calculate return on security investment (RoSI) and allows for more transparency and risk visibility.
FAIR allows businesses to concretely measure, analyze, measure, and understand risk. The nice thing about the FAIR model is that it can augment current security programs and, by doing so, strengthens the organization's security posture. Because only once the risk is understood can CISO’s make informed decisions about risk scenarios and risk taxonomy.
NIST & FAIR
COVID-19 forced organizations to become dependent on digital operations to avoid extinction in the face of the pandemic. The number of threat agents skyrocketed as companies were pushed into digital spaces to survive. Loss events became more commonplace, stressing CISO’s and other security professionals. Threat capabilities and what enterprise systems were equipped to deal with were being re-assessed, pushing organizations to adopt new frameworks and better practices like NIST.
The National Institute of Standards and Technology developed the Framework for Protecting Critical Infrastructure Cybersecurity in response to an executive order from President Obama. The first version of what would be later dubbed the NIST Cybersecurity Framework (CSF) was released in 2014. What was unique about the development of V1 was the decentralized and collaborative way it was developed. CyberSaint Founder George Wrenn and co-founder Padraic O'Reilly were contributors to the development of the Framework.
It is often the aspiration of many security leaders, whether at a small business or a multi-billion dollar enterprise, to adopt the NIST CSF for their organization. Its comprehensive and flexible nature makes it the most future-proof framework to navigate both new technologies entering the market as well as new regulations hitting almost every industry. The NIST CSF, though, can also be challenging to adopt, given its wide-ranging nature. For many security leaders, often tasked with adopting the CSF from their CEO or the Board of Directors, selecting where to begin is the greatest challenge.
To date, the FAIR Model has been widely debated in the security community for its approach and ability for quantifying cyber risk in financial terms. With NIST adding FAIR as an informative reference to the wildly popular Cybersecurity Framework, though, the FAIR model has moved from obscurity to primary business practice.
Because there are so many regulations and frameworks that different industries map to, it’s crucial for any new risk quantification methodology to work well with existing frameworks. FAIR helps organizations determine where their greatest strengths are as well as where they have room for improvement and growth.
Who can adopt the FAIR model?
Ideally, those with an integrated risk management (IRM) solution and a more mature security posture would be the ones adopting a FAIR model to supplement their already existing frameworks. Gartner defines IRM as a set of practices and processes supported by a risk-aware culture and enabling technologies that improve decision making and performance through an integrated view of how well an organization manages its unique set of risks. With the end goal of modern information, security teams being to deliver data that supports greater enterprise risk management strategy, taking an integrated approach is critical to delivering on these needs.
Quantifying risk is a relatively new practice. While the need for concrete cyber risk quantification has emerged, the landscape of risk assessment frameworks to quantify risk are still fragmented. Cyber risk quantification is often viewed as an impractical process that is ambitious but, overall, relatively futile given the novelty of the concept. The RoSI is challenging to measure, and the results are challenging to condense into a business-friendly context.
This has pushed CISO’s to favor a qualitative approach to risk evaluation. As demand for digital transformation grows, CISOs are under more pressure than ever before to effectively communicate risk to a broad audience, including C-suite executives and company employees.
Many risk quantification solutions available today are, by all intents and purposes, black-box solutions that ingest risk data and return metrics specific to the solution with little to no explanation as to how those metrics came about. When looking at “glass-box” vs. black-box in cybersecurity, we’re talking about the theory of transparent risk quantification vs. shielded risk quantification.
CISOs should focus on how “glass-box” solutions can increase a security leader’s confidence level to give them faster insights, leading to smarter decisions and meaningful action in a crisis.
By securing a plan and placing it into policy, companies can achieve cyber resiliency. They will have the ability to respond quickly to threats and address them promptly. IT and business will become more integrated and will trust each other to address concerns proactively and communicate when they do so.
FAIR gives organizations the ability to gain company-wide buy-in on security initiatives to move to the next level of risk quantification and transparency.
To learn more about how CyberStrong can help your risk quantification process, contact us.