Front-line experience, freely shared among friends – that about sums up the spirit of the speakers at the recent FAIR Conference 2017, a lineup of leading FAIR practitioners who were amazingly candid about their success and challenges in spreading the FAIR risk revolution to their organizations.
Here are the highlights from some of the sessions:
Welcome from Nick Sanna, President
Nick kicked off the conference on a note of wonder: Started less than two years ago, the FAIR Institute has grown to more than 2,000 members. “What started as a website has become a real movement,” he said.
The three drivers behind the movement, according to Nick:
- Boards are now talking about cyber risk, after so many high profile data breaches and other cyber loss events.
- CISOs are struggling with prioritizing risk mitigations and allocating resources.
- “Security and risk committees are having a big introspection moment…The way we are reporting or managing risk: Is it just checking a box or does it allow us to really focus on what matters?”
Keynote Address by Jack Jones, Chairman: “Where Do We Go from Here?”
A big welcome from the audience for Jack, creator of the FAIR model. Jack previewed a soon-to-be-released survey by the FAIR Institute of more than 100 CISOs and risk officers to gauge the current state maturity of cyber and technology risk management.
Jack defined maturity as “enabling the organization to cost effectively achieve and maintain an acceptable level of risk.” He asked for a show of hands from the audience of those who thought they’ve hit that level of maturity. No hands went up. And that pretty much captured what the survey will show. “We aren’t on average as an industry very good from a maturity perspective,” Jack concluded.
Jack identified five challenges facing FAIR evangelists trying to up the maturity level of their organizations.
- Credibility, especially the ingrained belief that cyber risk is a “special snowflake” that can’t be quantified.
- Training/resources. Help is coming – Jack pointed out the new FAIR online training course.
- Also looking up – with the new FAIR training web app.
- “One of the challenges we face is low expectations,” Jack said, after years of settling for qualitative “red-yellow-green” risk analysis.
“As we go out there and set higher expectations for people around us that’s going to raise the tide,” Jack urged the audience.
Panel: Effectively Leveraging FAIR to Reset Your Risk Management Program
Featuring Jack interviewing three veterans of FAIR implementation:
Carl Conrad, Manager, Enterprise Architecture Management Systems, Chevron
Joel Baese, Head of Information Security Risk Assessment and Analysis, Walmart
Drew Simonis, Senior Director, Cyber Risk & Governance, Hewlett Packard Enterprise
The panelists agreed with Drew that reset is “a cultural change.” At HPE that means “moving away from the notion that cyber risk cannot be measured. It’s getting to a place where people are bringing us problems to avoid.
“What we saw in the past was ’This is the path I’m going to take. You tell me how bad that path is, and maybe you can throw some compliance and controls on top of it.’ We’re trying to move to a point where we’re part of the decision-making process.”
At Chevron, Carl said, a key to reset has been to make sure that risk-based decision-making is “part of the governance process.”
The company operates a cross-functional cyber security leadership team, including non-security professionals, who “make sure decisions get cascaded back into their organizations…We bring our top risk themes into the discussion. We convert [FAIR analyses] back to red-yellow-green [heat maps] so they don’t see the numbers.”
Carl said the process has enabled the organization to come to agreement on what are the top risks, so ultimately “we’re allocating money based on the analysis up front. At the end of the day, if you’re not allocating money based on the highest risk because of your analysis, then you aren’t enacting change.”
Case Study: Building a Sustainable FAIR Program
Packed with tips and laugh-out-loud lines from three FAIR evangelists at Bank of America:
David Sheronas, Vice President, Global Information Security
Jack Whitsitt, Senior VP, Cyber Security Risk
Ryan Critchfield, Assistant Vice President
Facing “a massive risk culture with lots of vested interests”, David said, the small team of FAIR insurgents quickly realized that “a frontal assault is not recommended” and instead looked for “ways of changing value equations in a non-threatening way and advantageous to all manner.”
David joked that the better way to respond to a believer in the red-green-yellow, qualitative approach would be “Fascinating! All those colors and possibilities!” Then segueing into an explanation of FAIR as “a risk forecasting sundae with an ALE cherry on top” sure to “lead to widespread recognition and promotion for you and your whole team.”
More seriously, David advised going for small victories to implant FAIR into existing tasks. At B of A, his
team grabbed on to the opportunity of “formulating intake questions for the risk management process”, such as third-party vendor evaluation, using types of loss events from FAIR. “Use the FAIR ontology wherever possible,” said. “If you can demonstrate value, you will be accepted.”
David Sheronas was honored with the FAIR Champion Award at the FAIR Conference, along with Roland Cloutier, Vice President and CISO at ADP, winner of the FAIR Business Innovation Award.
What CISOs Need to Tell the Board about Cyber and Technology Risk
Another lively, candid conversation, this time with five experts on both sides of this communication divide.
Wade Baker, founder of Cyentia Institute and adjunct professor at Virginia Tech, author of the Cyber Balance Sheet survey on CISO-Board communication.
Yong-Gon Chon, CEO of Focal Point Data Risk
Austin Adams, Board Member, KeyCorp, CommScope, and former CIO, J.P. Morgan
Christopher Porter, CISO, Fannie Mae
Kim Jones, Professor, Arizona State University, former CSO, Vantiv
Among the many bits of wise advice from this panel:
- Keep the conversation in business – not cyber – terms. “By and large, CISOs are reporting security-related things to the board,” said Wade Baker. “When you ask boards what would they want to see, they want more business-oriented things”
- Set realistic expectations on security. “We tend to get 'are we secure?' from boards of directors,” said Kim Jones. “Are your doors open for business? Then you’re not secure. So let’s start from that point. Now, if there are specific events that you are worried about, I can do something to reduce the probability of that occurring.”
For more on this session, read this report.
The Case for Business-Driven Security - Integrating FAIR-based Analytics into GRC Processes
Serious note-taking going on as Security Lead Marta Palanques of ADP answered questions on many minds about how to bring the benefits of FAIR to a risk process based on GRC.
- Start by educating the organization on what’s truly a high risk among the items in the register.
- Use FAIR to choose among items in the register to determine what’s worth attention.
- Take the outputs from FAIR analysis and add them to the register. “Instead of deciding if this is red or green, start documenting loss exposure, the average and also 90th and tenth percentile. Start tracking that over time so that eventually you can start replacing those colors with numbers.”
- Look for gaps in the GRC as indicators of where the tool needs improvement.
Marta’s team has also had success helping the business choose a risk response with FAIR by comparing alternatives based on how they would change the loss exposure, then looking to the cost and time that would be required – a sort of ROI analysis using FAIR. “You help the business dissect a bigger problem into more palatable chunks and identifying which of those small chunks of work are actually worth it” – a process, she said, that often leads to adding more detail to the GRC.
Presentation: What Metrics Matter in Risk Management?
Isaiah McGowan, Senior Risk Consultant, RiskLens, who’s trained hundreds of FAIR practitioners, got into the use and abuse of that key communication tool for risk analysts: metrics.
According to Ike, metrics communicate
- How far we have drifted from our appetite, in other words, our risk tolerance.
- How much stakeholders should worry about what we present. “You need to communicate to senior management and the board what fires they can let burn.”
- How effectively the organization is prioritizing
- Where we are blind. “Where do we have visibility, where do we lack visibility?”
He covered some key metrics that can be analyzed by FAIR:
- Annualized Loss Exposure (ALE): “The goal is to eventually get ourselves under our appetite”
- Loss Events patterns, for instance, comparing your experience to a respected survey like the Verizon DBIR
- Loss Magnitude by FAIR forms of loss, critical to deciding if potential losses should be treated, managed or transferred.
- Proportion of our assets with exploitable flaws that are weaponized and in use by threats.
- Proportion of approved projects in a given time frame that includes a comparative analysis.
Closing session of Day One: Premiering the New Online FAIR Training Platform
Bryan Smith, Chief Technology Officer at RiskLens, the technical adviser to the FAIR Institute, presented a long-awaited tool: the FAIR-U web app, the first training app for FAIR from the FAIR Institute, big news for students learning quantitative risk analysis through the FAIR University Curriculum or FAIR Certification Training or for companies looking to evaluate FAIR before taking the plunge on a paid solution.
Day Two Keynote: Larry Clinton on The Cybersecurity Social Contract
The head of the Internet Security Alliance, led the audience through an in-depth look at cybersecurity from the political point of view. The ISA is pushing Congress and the Adminstration toward a 12-Step Program to “Think Differently About Cyber”, staring with step #1 “attack the problem with greater urgency.” At step #6, “pilot test the NIST framework for cost-effectiveness,” FAIR could have a vital role to play.
Panel: How to Balance Risk Management and Regulatory Compliance
A distinguished panel from the regulation and compliance world:
Moderator: Bill Barouski, Senior Vice President, Deputy CISO, Northern Trust
Jay Restel, Supervision and Regulation Department, Federal Reserve Bank of Cleveland
Nicole Clement, Accenture Security Group, Former OCC
Kirk Herath, Vice President, Chief Privacy Officer, Nationwide Insurance
Bill kicked off the session by asking audience members to stand, then sit down based on how many regulators they deal with – when the regulators count reached 10 there were still plenty of standees.
How realistic is it to believe that we can streamline and harmonize regulation “so organizations don’t have to deal with this cacophony?”, Bill asked Jay Restel from the Fed.
“We’re closer on harmonization,” in the banking sphere, Jay replied, now that the 18 largest banks have come together to work with regulators on solutions, though he didn’t think there would be any significant movement till 2020. He predicted that, along with NIST, “FAIR becomes an important piece to leap over to the harmonization” as regulators coalesce around a standard.
Case Study: Managing Operational Risk Using FAIR
Evan Wheeler, Director, Risk Management, MUFG Union Bank
David Badanes, Cyber Program Director, AES
David Musselwhite, Former Team Leader, Enterprise Risk Management, Quicken Loans
…arrived with an important reminder: FAIR is for operational risk, not just cyber risk.
“We are trying to break down silos between IT and OT,” said David Badanes from AES, the power company that delivers electricity in 17 countries. “Technology is technology whether it’s the operations that run a SCADA [control] system for a power plant or the back end of your email, it’s all technology that we need to protect.” He presented as a case study a FAIR analysis on protecting against risk from the USB drives commonly used in the utility industry to update systems that don’t connect to the internet – with some dramatic loss savings.
David Musselwhite, who recently joined RiskLens as the training manager, chose as his use case, a potential loss exposure that most audience members had no clue their companies face: the ink in large-size, corporate printers is in fact a hazardous chemical, and an OSHA inspect could levy a fine. His point: “FAIR can apply to any type of loss as long as you appropriately scope the scenario. Wherever there’s loss or potential for loss, FAIR can help you make better decisions.”
Nick wrapped up by asking everybody to continue the spirit of sharing at the conference by participating in the Institute’s online and local activities. “As long as that continues, this will become an even stronger movement.”
Jack urged the conference attendees to go back to their organizations, question all the accepted norms of risk analysis and management and “begin, if only gently, pushing those around you to raise their game. ..You folks really are the vanguard for how this progresses in the industry.”