December 15, 2023
Cyber Risk

How FAIR Enables CISOs to Drive Business Outcomes

You’ve heard of FAIR, the standard for cyber risk quantification. It may sound technical, but as Nick Sanna, Founder of the FAIR Institute and President of Safe Security, explains in this video, FAIR is actually a business enabler.

With FAIR, security leaders can measure cyber risk in the financial terms the business uses daily to make decisions. That opens the way for CISOs to speak to business leaders about tradeoffs: security investment for outcomes in dollars.

Watch this short video to learn about the benefits of the FAIR approach for your security program and the exciting advancements in automating FAIR to enable risk-based security decisions in real time.


0:00: Erica Schaubroeck (Erica)

So Nick Sanna, CEO and President of RiskLens, which is now Safe Security, and the founder of the Fair Institute and the topic of the week – and I think a conversational trend that we're seeing is, you know, how CISOs and security teams can leverage FAIR – the Factor Analysis of Information Risk – to make business decisions, and then also how do you kind of leverage that to become a business enabler?

Because I think historically, you know, we've cybersecurity has kind of been seen as a necessary task to business. But when we think about Cyber Risk Quantification, it's, you know, can we gain visibility into our breach likelihood? And then, more importantly, do we understand the financial impact behind that breach likelihood and either the mechanism or maybe the method of how we arrived at that analysis?

And so to take that one step further, you know, CISOs and risk leaders can, you know, use that to drive business outcomes and get their internal peers, and so it or the GRC team or maybe product engineering to speak a common language, which is dollars, and something that I think everyone can get behind and then start to drive those initiatives.

And so the question is, you know, how does FAIR, and specifically the automation of FAIR, enable risk leaders to drive positive outcomes?

1:22 Nick Sanna (Nick)

You know, thank you, Erica. First of all, for having me and for addressing, you know, very important topic. I think you're absolutely right. A lot of cybersecurity leaders struggle to communicate about cyber risk in terms of what the business can understand and can use to achieve or protect positive business outcomes. And they even struggle to answer basic questions that the business is asking, you know, and they, they hear almost every day now, which is how much risk do we have, you know, or what are our top risks?

Sometimes the CFO and the board have discussions about spending, you know, always spending too much or too little. And oftentimes, the board or the business leaders may ask them, what would it take to get risk to an acceptable level?

Or if they are thinking about digital, digital transformation, what is the risk of moving certain workloads to the cloud and, then subsequently, what can we do to mitigate it?

2:21: Nick

You know, questions that the CISO and cyber risk leaders face every day, and they typically struggle to answer them because they are, you know when I speak to CISO, they tell me, Nick, we've been trained in understanding and speaking and managing threats and vulnerabilities. We have not been trained in answering those questions.

So, when the FAIR model comes in – it is a standard Cyber Risk Quantification model – that allows them to define and measure cyber risk in a language, the business can understand, which is the financial language. You know, the business deals with financial language to make a decisions on a daily basis – how much resources to allocate in this activity, what is the return on investment and this shouldn't be, this should be the same, you know, in, in cybersecurity.

And so FAIR helps, you know, break down the factors that make up the likelihood, you know, an impact of cyber incidents so that you can speak in those business terms.

And by doing so, I think the discussion between CISOs and the business leaders can change from one that focuses on technical details to one that focuses more on tradeoffs between various security investments and desired outcome.

3:32: Nick

As an example, if there's a company that wants to launch a new streaming service used by many, many users out there, whether it's music or video streaming service.

The discussion that needs to happen between the security leader and the business leader is one where they can talk about the tradeoffs between applying an increasing or lesser level of security and the friction it may cause in the business. And so they need to achieve that balance between protecting business and running this operation in your operation and driving revenue. That's a good discussion about the optionality in the tradeoffs.

That's a business discussion that the business wants to know, and they need to understand from the security leader, “What are my tradeoffs?” And so, in this way, when the discussion happened this way, the security team moves away from being the department of “No” as many security teams are seen to becoming the department of “know” – K N O W.

OK, which again provides business leaders with multiple security options and helps them understand the very various consequences and make risk-informed decisions.

4:37 Nick

And I think the automation to the latter part of your question: I think the automation of FAIR brings another level of visibility to cyber risk that was not possible before. And.. and traditionally, risk assessments had been point-in-time assessments largely based on subjective estimates.

And so, with automation and, more specifically, the automated ingestion of machine data related to company assets and controls and threats into an engine that runs FAIR, brings a level of objectivity that was not possible before.

And so it also enables you to monitor risk in real-time. So it's no longer a once-a-quarter, twice-a-year event, or once-a-year event to do a risk assessment – they may take many, many weeks. It is a continuous process where you are looking at risk in real-time.

So it becomes really risk monitoring that enables a much more frequent decision making and enables, also, new use cases. Because now you're no longer just focusing on on spending a lot of time making, you know, some difficult security decision.

5:47 Nick

But imagine now a tool that allows us to analyze everything happening and also, prioritizing what controls are most effective in reducing risk on a daily basis, you know.

This is what many also c are asking us. I'm hearing it all the time. “If I only had a way to prioritize what is the security control I need to fix today or this week, it's taken me an army of people, a bunch of tools. I cannot look at it in the context of the business… And this is what FAIR allows me to do.”