My week was FAIR
I was lucky enough last week to go through training on the FAIR methodology. After the course, I was sitting with Jack Jones and he asked me if the course met my expectations. I shook my head and said “no… it exceeded my expectations.” I wanted to write up my thoughts and experiences on this week.
Before the Training
I think it would be difficult to work around security and risk analysis and not know what FAIR is. It is talked about in blogs, mailing lists and forums. Most people treated it like it was sliced bread 2.0, although the initiated seemed overly fixated on terms and their proper use. But I didn’t go into this training naive. I already had a whole slew of mediocre risk methodologies under my belt. I’ve read most of the usual books on risk and related topics. I thought I was ready.
Reflections on the Training
I won’t go into the details of FAIR internals. But I will tell you that I was already familiar with most of the concepts. What made an impression on me was how all of these concepts were put into practice. If you catch me in person, get me talking about accuracy versus precision, or the value of subjectivity and estimation and I probably won’t shut up now.
The biggest take away from my FAIR training is this: FAIR is not a checklist methodology, it is a mindset. It’s a way of thinking about risks, the elements that make up risk and how those interrelate. Neither is FAIR a plug-a-couple-of-numbers-in method, it requires it’s own way of thinking, which as I’m learning, requires quite a bit of practice to do well.
I’ve seen a lot of hack risk methods that claim “based on FAIR”. Thinking that it’s possible to build something by reading the white paper and various interwebs is like building a violin from a picture of a Stradivarius and saying “based on Stradivarius”. It just can’t be done.
We, as infosec geeks, should not guess at the impact of breaches. Because we stink at it. Seriously. It’s like we are kids tying our shoes for the first time, it’s only a matter of time before we realize we should stop and ask for help. The dirty little secret I learned is that there are people already in my company that are far more capable at estimating things like notifying customers, or the cost of responding to breaches. I’m told that lawyers are pretty good at estimating costs of various legal proceedings. This realization was a big forehead-slapping "well duh" moment for me.
I ain’t done being trained. Even though the training is over, this shift in perspective won’t be easy (for me and my organization). I plan on leveraging the contacts I’ve made and asking a lot of questions. This stuff is not easy and I have no plan to walk it alone.