By Ed Peck, Cybersecurity Consultant, Evolver
Ed has worked in cybersecurity for almost 20 years as a professional information security provider. Ed’s current role at Evolver, a Converged Security Solutions company, connects him face to face with the customer – and their data. His FAIR analyst certification means he knows which sets of data are the most valuable, can determine the amount of monetary risk an organization has based on the way it handles its data, and can make recommendations about each. He is CISSP-ISSEP certified and is an instructor for George Mason University’s Essentials of Factor Analysis of Information Risk (FAIR) Course.
FAIR (Factor Analysis of Information Risk) is an industry standard cyber risk model for information security and operational risk. The FAIR cyber risk model is rapidly being adopted worldwide in all industries. Evolver and Converged Security Solutions apply the FAIR model in their cyber risk quantification services for businesses and government agencies. Learn more here.
Do you have what it takes to be a successful FAIR analyst?
One might assume that having the OpenFAIR certification or even technical experience would be top on the list. However, I’ve come to realize that there are three key talents in providing value to a risk assessment.
Before I break this down there are a couple of things to keep in mind. The first is understanding of the FAIR taxonomy is a must. Another is the greatest value of a FAIR analyst is during the scoping and data gathering phase. With those two items in mind, let’s start with:
“Be able to start a discussion.”
Getting a room of subject matter experts together and having everyone stare at you to start talking can be rather uncomfortable, and if we’re being honest, unproductive. The experts are there because they know the company/process/technology/data better than anyone. They are the experts! Sometimes by asking open ended questions can get the ideas flowing. Other times, especially with the FAIR skeptics or those who are generally uncooperative, it’s often throwing a number out there for discussion. Here’s a tip though, don’t take the laughing or criticism personally. We want the input from everyone in that room. When you hear, “No way” or “Not even close”, challenge them back by asking, “What do you think it is?” Encourage debate amongst the attendees because this is a great way to get to consensus and accuracy. But one must be mindful of the second talent:
“Don’t let the conversation get off track.”
Here’s where scoping is so important. Whenever you hear, “well this could happen” or “I mean it’s possible that…” alarm bells should be ringing in your head. To help combat this, I refer to a simple trick that was taught to me for these situations. Write the scoping statement in large letters somewhere in the room. Use a whiteboard, paper taped to a wall, projector screen, something, ANYTHING. This is a good reference point to bring the room back from whatever rabbit hole they are chasing down. I also found it very helpful to have a list of assumptions handy to focus the discussion and gaining accurate data. Speaking of data accuracy:
“Play Devil’s Advocate.”
I found it extremely helpful to provide pushback on numbers the subject matter experts provide. This provides a two-fold benefit (I know, another numbered list *grrrr*). First, confidence. If the experts can state with certainty and conviction of their final answer, management will be more readily accepting of the final outcome. Second, sometimes these experts are too close to situation. Everyone thinks their company/department/office is supremely important and critical in the defense of democracy in the free world (okay, I got a little carried away there), but when I start my statement of, “from an outsider’s perspective looking in, that number/statement seems be unrealistic…”, suddenly a new discussion begins and it’s either positively affirmed by the whole group, or the numbers are changed. Remember, group think and yes-men are counter-productive to what we want for an analysis.
One final thought. We are trying to model a probable future event. It is inherently comprised of uncertainties and there should be initial disagreements during the data gathering phase. Embrace it, focus it, and challenge it. So let’s now discuss the estimated range of people who will disagree with me.