Identifying investments
The guest speaker at the webinar was Jack Jones, an authority in cyber risk management who created the FAIR standard, and who currently serves as chief Risk scientist at Risk Lens. “Organisations absolutely need to be very good at identifying where they need to be spending their time and effort,” he said. “If an organisation believes it should be investing in encryption, multi-factor authentication or a SIEM solution, or whatever the case might be, it’s their responsibility to understand whether that’s a good investment or not.”
The webinar looked at the role of FAIR (Factor Analysis of Information Risk), an independent standard for quantifying and managing information risk. This has generated a lot of excitement and anticipation within the risk management community, according to Tom Callaghan, Co-founder of C-Risk and co-chair of the FAIR Institute Paris chapter.
Transform how you model, measure, and manage cyber risk.
Don't wait for the inevitable cyber incident. Build a resilient, risk-based cybersecurity program with Cyber Risk Quantification.
Assessing security controls
CISOs can use FAIR and its control analytics model, FAIR-CAM, to scope risk scenarios while assessing the performance of security controls in mitigating those risks. This way, they can understand which controls work for certain specific scenarios.
The webinar described one such scenario using a fictitious company that has an internet-facing web app that generates revenue – and is therefore valuable – but is victim to growing numbers of exploitable vulnerabilities.
“The goal is to reduce the probability of an extended outage of the service and the financial impact on the organisation… FAIR-CAM can help to identify the controls which directly or indirectly impact loss for a well scoped scenario,” said Callaghan.
Other topics covered in the webinar include:
- How organisations can reduce their levels of vulnerability and increase resistance strength
- How FAIR and FAIR-CAM can support risk at the operational risk level
- How to reduce ‘noise’ of constant alerts by differentiating between vulnerabilities and exploits
- Where to prioritise remediation efforts so you don’t suffer ‘analysis paralysis’
- Why it’s important to develop narrowly scoped risk scenarios to inform decisions
We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.