• Back
  • Home
  • insights
  • using-fair-risk-analysis-framework-to-make-business-case-for-security-initiatives
09/29/2020

Using the FAIR risk-analysis framework to make the business case for security initiatives

Advisory Cyber NYDFS

Factor Analysis of Information Risk (FAIR) is a framework and risk-analysis process designed to help companies understand how to effectively quantify and assess cybersecurity and operational risks in financial terms. In other words, the framework offers a consistent set of parameters that organizations can use to measure the underlying issues that contribute to security risks, which can help the IT group report risks to leadership in a consistent manner, since threats will be measured against the same set of risk parameters. Ultimately, this helps organizations perform apples-to-apples comparisons of threats and prioritize risks according to their overall risk profile.  

In CohnReznick’s most recent monthly virtual roundtable for chief information security officers (CISOs), the FAIR framework was the main topic of discussion. Participants shared some of their perspectives on and experiences using the framework, which they said can help CISOs more effectively bridge the gaps when IT is speaking about the cost of risks to the business side of a company, giving the two groups a common language.

For example: Security risk assessments should be the starting phase of defining an appropriate security program. For CISOs, however, that can be a mighty tall order. Many organizations are unable to complete a full risk assessment due to a lack of quantitative information, lack of time, or lack of experience in completing such assessments. Complicating matters, organizations often focus on compliance-based risk reduction before considering actual operational risks. This type of approach can yield misleading results and lead to inefficient use of limited resources. 

These were just a few of the challenges that one roundtable participant, a security executive for a large telecom provider, faced as he attempted to procure funding for a corporate security project. The FAIR framework provided a streamlined, effective alternative to a traditional assessment, and kept the focus on operational risk. His company first used the FAIR framework to recast the initiative in financial terms, he explained, with an emphasis on the net present value of the proposed program. At the same time, the telecom provider needed to factor into the cost analysis the monetary value of a potential loss, a consideration that many company stakeholders were reluctant to embrace. In the end, the FAIR framework enabled the CISO to mount a persuasive and effective argument for funding. 

If the telecom’s experience tells us anything about adopting the FAIR framework, it’s that CISOs should be prepared to invest in training on FAIR, change management, and, very often, outside assistance. Also essential is the ability to employ data and security controls that enable organizations to confidently anticipate monetary losses. 

CISOs participating in the roundtable agreed that FAIR framework can be an effective tool for evaluating risk. In particular, participants cited being able to represent the cost of ignoring the threat of ransomware or use of encryption controls as use cases for FAIR. 

However, they also expressed reservations about the relevance of the framework in cases in which losses are more qualitative than quantitative, as well as situations in which adequate data for reputational damage or brand loss do not exist. 

CohnReznick believes that the FAIR framework is a valuable tool in a firm’s risk analysis toolkit that can enable CISOs to justify specific investments in risk mitigation efforts.

Contact

Bhavesh Vadhani, Principal, National Leader, Cybersecurity, Technology Risk, and Privacy

703.847.4418

Daryouche Behboudi, Managing Director, CohnReznick Advisory

703.744.8507

Subject matter expertise

  • Bhavesh Vadhani
    Contact Bhavesh Bhavesh+Vadhani bhavesh.vadhani@cohnreznick.com
    Bhavesh Vadhani

    CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy

    Go to Bio
  • Behboudi Daryouche
    Contact Daryouche Daryouche+Behboudi daryouche.behboudi@cohnreznick.com
    Daryouche Behboudi

    Advisory Managing Director

    Go to Bio
    • Close

    Contact

    Let’s start a conversation about your company’s strategic goals and vision for the future.

    Please fill all required fields*

    Please verify your information and check to see if all require fields have been filled in.

    Please select job function
    Please select job level
    Please select country
    Please select state
    Please select industry
    Please select topic

Related Insights

Tech logos illustrating cybersecurity
Insight

New SEC cybersecurity guidelines: Next steps for public companies

GCS_Federal-Agencies-Cybersecurity_web-banner
Insight

Federal agencies face complex cyber compliance – but relief is underway

shadows of people as coworkers/employees discussing and interacting with each other with a blue colorwash
Insight

Practical Infrastructure: A blueprint for program management success

This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. Neither CohnReznick LLP or its personnel provide legal advice to third parties. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees, and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.