The truth is that in today’s hyperconnected world, maturity-based cybersecurity programs are no longer adequate for combatting cyberrisks. A more strategic, risk-based approach is imperative for effective and efficient risk management (Exhibit 2).

Andress leans on the FAIR standard from the FAIR Institute to create metrics to share. FAIR stands for Factor Analysis of Information Risk , described as **“**the only international standard quantitative model for information security and operational risk.”