ISACA: FAIR Solves the Communication Gap Between CISOs and Boards

February 3, 2021  Jeff B. Copeland

A new white paper from ISACA, the leading IT training and education organization, makes a compelling case for Factor Analysis of Information Risk (FAIR™), the risk quantification standard that powers the RiskLens platform, as the communication tool of choice for CISOs and other IT and security professionals for presenting on cyber risk to the board.

Download the (free) ISACA white paper: Reporting Cybersecurity Risk to the Board of Directors

“The more a risk-management measurement resembles the financial statements and income projections that the board typically sees, the easier it is for board members to manage cybersecurity risk,” ISACA writes. “…FAIR can enable the economic representation of cybersecurity risk that is sorely missing in the boardroom, but can illuminate cybersecurity exposure.”

ISACA identifies the key communication gap between boards, operating at the highest strategic levels of the enterprise, and CISOs, day-to-day involved at the tactical level of cybersecurity. “To build out these connections between the highest and lowest levels of an enterprise requires the decomposition of high-level board concerns into technologically relevant (and measurable) scenarios.”

Get trained in FAIR through the RiskLens Academy

ISACA recommends starting with Basel II categories of loss, decomposing those to business scenarios then breaking those down to IT risk scenarios (as seen in this chart from the white paper):



It’s exactly the start of the FAIR analysis process. The white paper explains the next steps in FAIR (adding data for magnitude of probable loss, resistance strength of controls, etc.), then inputting to a Monte Carlo simulation to create an overall loss distribution model – all of these functions are automated in the RiskLens platform.

“It is not feasible to escalate all of [the risk scenarios] to the board,” ISACA says. “Instead, the strategy should be to choose exemplar scenarios to represent each aggregate category. A good way to present these scenarios and metrics to executives is through a dashboard.”

RiskLens clients do in fact build dashboards for board presentation, using the highly flexible reporting on the platform to:

  • identify and prioritize among top risks with Rapid Risk Assessment
  • aggregate and compare risks across business units or by asset types or threat communities
  • show risk trends over time, plotted against risk appetite
  • show the probable effect on risk reduction of security initiatives (with the Risk Treatment Analysis capability).

And – music to a CISO’s ears – the white paper includes a section on justifying security budgets to the board. Beware the standard practice of apportioning security spending as a percentage of IT budget, ISACA says. Instead, use risk quantification to draw “a straight line from loss exposure…to the systems supporting the products and services, and to the compromised technological controls that are causing this excess loss exposure… [Also], it is important that the loss amount (quantitatively) shows a reduction after the money is allocated, controls are implemented, and assessments are updated, in a subsequent board report.”

Download the (free) ISACA white paper: Reporting Cybersecurity Risk to the Board of Directors