CISOs and directors of security don’t share well with security engineers from other companies. If you use an outside vendor for security risk assessments, consider switching consultants every other year for a fresh perspective. The language of risk management isn’t native to IT; the Factor Analysis of Information Risk (FAIR) framework of interconnected models is a great resource for CISOs looking to get up to speed. Don’t wait for a crisis to set goals for a goal for a CISO to be proactive.”]
Source: https://www.darkreading.com/analytics/five-ways-to-get-rational-about-risk