By Jim Hietala, VP of Security and Business Development, The Open Group & John Linford, Forum Director, Security and Open Trusted Technology Forums, The Open Group
Open FAIR has seen rapid and extensive adoption in the US, where it has become the defacto standard for quantifying cybersecurity risk. We at The Open Group are encouraged that Open FAIR awareness and adoption are also increasing globally, and we’ve also seen some increased usage outside of the traditional IT risk quantification area. Some interesting recent developments on increased Open FAIR use and adoption outside of the US, and outside of the IT area include:
1- A recent standard published by the Central European Committee for Standardization (CEN), EN 17748-1:2022 Foundational Body of Knowledge for the ICT Profession (ICT BoK) – Part 1: Body of Knowledge, referenced Open FAIR (among other standards of The Open Group) as an informative reference standard for risk analysis. This is an important development, as it brings Open FAIR exposure to the attention of enterprises in Europe as a risk quantification method. CEN is a collaborating standards body with ISO (for the Central Europe area), as is The Open Group (we are PAS submitters to ISO, enabling fast track adoption of Open Group standards by the International Standards Organization).
2- At the recent Open Group Brazil Security Web Event, we heard several presentations that described the use of Open FAIR in risk quantification, and the presentations were greeted with enthusiasm by the Brazil attendees. One of the presentations was from Modulo, a leading IT-GRC company, and a member of the Security Forum who were kind enough to volunteer efforts to translate the Open FAIR standards into Brazilian Portugese, paving the way for further adoption in Brazil and Portugal.
3- Among the many people certified to Open FAIR, we now have 29% of the total population from outside the US, which is another sign of interest internationally. The percentage from outside of the US has grown considerably, with many countries with Open FAIR certified people now represented, including significant numbers of certified people from Australia, Brazil, Belgium, Canada, Denmark, France, Germany, India, Ireland, Italy, Netherlands, Peru, Singapore, South Africa, Spain, Sweden, Switzerland, and the UK.
4- Another indicator of international interest is the recent growth of Open FAIR commercial license holders based outside of the US. Here, 48% of the current twenty-five commercial licensees are based outside of the US. This tells us that the commercial interest in Open FAIR is growing for trainers, consultants, and software tool providers outside of the US.
5- Finally, as regards Open FAIR use outside of the traditional IT risk quantification use cases, we’re seeing more adoption and use in Operational Technology areas including for OT risk quantification in critical infrastructure including oil and gas. With the increased regulatory focus on cybersecurity risk, our Security Forum has also recently released a paper/papers on vetting cyber risk models, and the use of the Open FAIR models to calculate reserves for cybersecurity risk. (see: https://publications.opengroup.org/security-library/w221)
The Open Group Security Forum is actively working to update the materials that support and complement the Open FAIR Body of Knowledge, ensuring consistency in the guidance provided. This work includes publishing the Open FAIR Risk Analysis Example Guide in July of 2021, updating the Open FAIR Risk Analysis Process Guide (in progress) to ensure alignment with the standards, and developing a guide on the mathematics implicit in the Open FAIR methodology (in progress), as well as updating the Open FAIR Certification Program materials, such as the Introduction to the Open FAIR Body of Knowledge White Paper (in progress). Additional recent publications include the Calculating Reserves for Cyber Risk White Paper series, which emphasizes the use of Open FAIR in communicating to financial institutions how cyber risk can be quantified in economic terms as well as to calculate reserve requirements.
For an up-to-date list of publications by The Open Group Security Forum on risk analysis, visit: https://www.opengroup.org/forum/security/riskanalysis.
For information on how to get Open FAIR certified, or how to accredit an Open FAIR training course, please see: https://www.opengroup.org/certifications/openfair
Jim Hietala, Open FAIR, CISSP, GSEC, is Vice President, Business Development and Security for The Open Group, where he manages the business team, as well as Security and Risk Management programs and standards activities, He has participated in the development of several industry standards including O-ISM3, O-ESA, O-RT (Risk Taxonomy Standard), O-RA (Risk Analysis Standard), and O-ACEML. He also led the development of compliance and audit guidance for the Cloud Security Alliance v2 publication. An IT security industry veteran, he has held leadership roles at several IT security vendors. Jim holds a B.S. in Marketing from Southern Illinois University.
John Linford is Forum Director of The Open Group Security Forum, known for the Open FAIR™ Risk Analysis Standard and work around Security and Zero Trust Architecture. He is also Forum Director of The Open Group Open Trusted Technology Forum (OTTF), known for the Open Trusted Technology Provider™ Standard (O-TTPS) and the Open Certified Trusted Technology Practitioner Profession (Open CTTP). John holds Master’s and Bachelor’s degrees from San Jose State University, and is based in the US.