With the recent Colonial Pipeline attack, measuring risk is on everyone’s minds. However, quantifying risk is often not an easy thing. There are so many factors that go into determining and measuring risk that it makes it difficult to pin any one thing down, especially in large enterprises.
However, without a method to balance security and operational risk against cybersecurity threats, many companies are flying blind when weeding out threats and vulnerabilities in their systems. Organizations are starting to understand that threat event frequency is starting to increase in the face of the pandemic and the large number of digital transformation initiatives it spurred.
What is FAIR?
FAIR (Factor Analysis of Information Risk) is a model that breaks down different aspects of risk and monetizes the elements. Allowing security teams to break down the factors and relationships between risk factors lets companies gain a broader insight into how risk is addressed and where the gaps may be. Ultimately, FAIR assigns a monetary value to risk factors, successfully defining risk in a business context.
This newer way to frame risk is crucial because it allows businesses to translate cyber risk into a business context and create a narrative to help get executive buy-in on cybersecurity initiatives. It will enable CISOs to calculate return on security investment (RoSI), allowing for more transparency and risk visibility.
The FAIR risk methodology allows businesses to measure, analyze, measure, and understand risk concretely. The nice thing about the FAIR model is that it can augment current security programs and, by doing so, strengthens the organization's security posture. Because only once the risk is understood can CISOs make informed decisions about risk scenarios and taxonomy.
NIST & FAIR
COVID-19 forced organizations to become dependent on digital operations to avoid extinction in the face of the pandemic. The number of threat agents skyrocketed as companies were pushed into digital spaces to survive. Loss events became more commonplace, stressing CISOs and other security professionals. Threat capabilities and what enterprise systems were equipped to deal with were being re-assessed, pushing organizations to adopt new frameworks and better practices like NIST.
The National Institute of Standards and Technology developed the Framework for Protecting Critical Infrastructure Cybersecurity in response to an executive order from President Obama. The first version of what would be later dubbed the NIST Cybersecurity Framework (CSF) was released in 2014. What was unique about the development of V1 was the decentralized and collaborative way it was developed. CyberSaint Co-found Padraic O'Reilly was a contributor to the development of the Framework.
It is often the aspiration of many security leaders, whether at a small business or a multi-billion dollar enterprise, to adopt the NIST CSF for their organization. Its comprehensive and flexible nature makes it the most future-proof framework to navigate new technologies entering the market and new regulations hitting almost every industry. However, The NIST CSF can also be challenging to adopt, given its wide-ranging nature. For many security leaders, often tasked with adopting the CSF from their CEO or the Board of Directors, selecting where to begin is the greatest challenge.
The FAIR Model has been widely debated in the security community for its approach and ability to quantify cyber security risk in financial terms. Security practitioners can quantify cyber risks to accurately detail loss exposure, loss event frequency, and the estimated financial loss of a cyber attack or event using the FAIR methodology.
With NIST adding FAIR as an informative reference to the wildly popular Cybersecurity Framework, the FAIR model has moved from obscurity to primary business practice.
Because there are so many regulations and frameworks that different industries map to, it’s crucial for any new risk quantification methodology to work well with existing frameworks. FAIR helps organizations determine their greatest strengths and where they have room for improvement and growth.
Who can adopt the FAIR model?
Ideally, those with an integrated risk management (IRM) solution and a more mature security posture would be the ones adopting a FAIR model to supplement their already existing frameworks. Gartner defines IRM as a set of practices and processes supported by a risk-aware culture and enabling technologies that improve decision-making and performance through an integrated view of how well an organization manages its unique set of risks.
With the end goal of modern information security teams being to deliver data that supports a more significant cyber risk management strategy, taking an integrated approach is critical to delivering on these needs.
Quantifying risk is a relatively new practice. While the need for concrete cyber risk quantification has emerged, the landscape of risk assessment frameworks to quantify risk is still fragmented. Cyber risk quantification is often viewed as an impractical process that is ambitious but, overall, relatively futile given the novelty of the concept. The RoSI is challenging to measure, and the results are challenging to condense into a business-friendly context.
This has pushed CISOs to favor a qualitative approach to risk evaluation. As demand for digital transformation grows, CISOs are under more pressure than ever before to effectively communicate risk to a broad audience, including C-suite executives and company employees.
Many risk quantification solutions available today are, by all intents and purposes, black-box solutions that ingest risk data and return metrics specific to the solution with little to no explanation as to how those metrics came about. When looking at “glass-box” vs. black-box in cybersecurity, we’re talking about the theory of transparent risk quantification vs. shielded risk quantification.
CISOs should focus on how “glass-box” solutions can increase a security leader’s confidence level to give them faster insights, leading to smarter decisions and meaningful action in a crisis.
Companies can achieve cyber resiliency by securing a plan and placing it into policy. They will be able to respond quickly to threats and address them promptly. IT and business will become more integrated and will trust each other to address concerns proactively and communicate when they do so.
FAIR allows organizations to gain company-wide buy-in on security initiatives to move to the next level of cyber risk quantification and transparency.
To learn more about how CyberStrong can help your cyber risk quantification process, contact us.