The Device Chronicle interviews Jack Jones, CO-Founder and Chief Risk Scientist, RiskLens, and Chairman of the FAIR Institute, on FAIR risk management and assessment as it applies to digital transformation and IoT projects.
Jack begins the interview by explaining that organizations are increasingly transitioning to risk-based approaches to information security and operational risk, as compliance to regulations alone provide only a minimum layer of security and fail to adequately protect them.
The guiding principles are as follows:
- Information risk has become a business issue, not just a technology issue, as most business processes have digitalized.
- Boards of directors and business executives want to understand an organization’s loss exposure in financial terms to enable effective decision-making.
- Risk and security professionals must become facilitators of the balance between protecting the organization and running the business.
The FAIR Model from the FAIR Institute is a framework for fair risk management that can be used to understand the factors that drive risk and analyse any kind of risk, including cybersecurity and technology risk. It decomposes complex problems into much simpler ways to understand, measure and manage parts. It begins with defining the risk scenarios that you are trying to manage.Is it an outage due to human error? Is it an outage due to some malicious act? The FAIR model is then used to decompose and understand the likelihood and magnitude of those events.
Value of FAIR risk management
Jack explains that this rigorous process makes the measurement of things that many people feel are intractable, actually solvable. He says “It does this by simplifying and clarifying things that are perceived to be complex, and helps people see that they aren’t in fact as complex as they might have perceived them to be.”
Primary and secondary losses in FAIR risk management
Jack then proceeds to describe the two kinds of losses that can occur where there is poor risk management in place.
Primary losses are the losses that occur directly as a result of the adverse event. This can be lost revenue because an organisation got operationally degraded, or it can be loss and the cost of the replacement of assets, and thirdly it could be the cost of the personnel hours involved in dealing and recovering from the adverse event.
Secondary losses are the fallout from the adverse event taking place: this could include customer churn, dropped share price, increase in insurance premium costs; and so on.
Use of FAIR risk management in digital transformation
Jack says the FAIR risk management model has been implemented in technology and digital transformation. He believes that this “is a particularly interesting problem space in this regard as anything you are making particularly crucial and meaningful changes to how you operate a business, which is what digital transformation is all about, this inevitably means change. These changes might introduce weaknesses in the system that weren’t there before and might in some way be exploited. The great example is healthcare and telemedicine, where in this industry they would define the changes they are proposing to make and the potential loss/win scenarios which are being added to the portfolio of things that can go wrong from digital transformation, but also there can be risk reduction from digital transformation.”
Jack advises that the scenarios should be understood and then the FAIR risk model applied to understand the rate or risk increase or risk reduction and then manage that risk appropriately.
Use case of FAIR from digital transformation
Jack shares an example of an organisation (anonymized for professional confidentiality reasons) that was reliant on IoT for their business and their security team were trying to get their business team to care about having better security in place. They were able to use the FAIR model to demonstrate the risk reduction from the application of automation for things like password changes and management. Jack concludes “The business can understand the problem space in a different way around why a certain process needs to be automated. Jack finds that it is more impactful if you can present a reduction in loss exposure due to proposed changes. Jack concludes that “Business leaders are much more likely to respond to this kind of loss exposure when it is represented in dollars and cents.”
We wish Jack and his colleagues at the FAIR Institute well as they continue on their journey to help organizations to better reduce their risk exposure.