“It’s relatively rare that you get security leaders and board members together on a panel to talk about things,” says Wade Baker, who moderated “What CISOs Need to Tell the Board About Cyber and Technology Risk” panel discussion at FAIR Conference 2017.
Dashboards. Metrics. Data. Everybody has them; most don’t know how to use them effectively. It’s a bold statement; but, according to Jack Jones and Jack Freund it is a truism in the risk management field.
“You are clearly out of compliance with a federal law.” When you, as a risk management professional, hear this, what is your first reaction?
A. “Yikes! We better fix that immediately!”
B. “That sounds like a problem for the Compliance Department?”
C. “So what? The government has it’s hand in everything, let us run our business!”
D. “Hmm…let’s perform a risk analysis and see if we should be concerned.”
The National Institute of Standards and Technology, the Federal Reserve, The Open Group, PCI – a prestigious list of organizations and agencies cite or suggest FAIR as a leading model for cyber risk analysis and management. Expect this list to grow as more risk professionals and regulators come to the conclusion that simply following risk management frameworks isn't enough–they need quantitative analytical models to make effective decisions on risk.
In the FAIR model for risk analysis, Loss Magnitude—i.e. the monetary impact of a loss event—is bucketed in six Forms of Loss: Productivity, Response, Replacement, Competitive Advantage, Fines & Judgements, and Reputation.
Look for thousands of job listings next year for “data protection officer” to meet a requirement of the European Union’s General Data Protection Regulation, the privacy law that goes into effect May 18, 2018. Here’s a quick rundown to see if you need to start shopping for a DPO, as well.
Sensitive documents from the US National Geospatial-Intelligence Agency…data on 14 million Verizon customers…voter information on 198 million Americans…Just a few of the reports this year on data breaches—or open data discovered by security researchers before a breach occurred—on Amazon S3 “buckets”.
UPDATE: The FAIR-U training app is now available. Get access to the web app now.
At the FAIR Conference in mid-October, the FAIR Institute will introduce FAIR-U, our first officially sanctioned training application for running FAIR risk analysis, guaranteed to correctly leverage the FAIR model.
FAIR Institute Chairman Jack Jones was interviewed by Jeffrey Kutler of the Global Association of Risk Professionals for an article published on the GARP website, “Signs of Acceptance and Maturity for the FAIR Model”.
The article is vintage Jack. A sample:
Since our founding, The FAIR Institute has received an increasing number of requests to create an information risk management course based on FAIR. We are responding to those personal requests, and to a market demand, to help create risk analysts who are well trained and well versed in quantitative risk analysis.