Bob Kolasky, who runs the National Risk Management Center in CISA, gave the FAIR Conference 2021 a briefing on CISA’s Systemic Cyber Risk Reduction Venture, an effort to manage and reduce cyber risks to critical infrastructure.
With all the time and money that infosec professionals invest in controls – implementing, patching, auditing, policy promulgation, etc. – you’d think they would be driving control stacks like finely-tuned machines.
If you’re introducing FAIR™ and cyber risk quantification to your organization, look at this presentation from the 2021 FAIR Conference by Cedric De Carvalho, Cyber Risk Manager at Richemont International SA
Matt Tolbert, Senior Cyber Specialist, Federal Reserve Bank of Cleveland, gave some specific pointers on cybersecurity resilience in a presentation at the recent 2021 FAIR Conference
In my last blog post on qualitative risk measurement, I discussed three key aspects that often make the difference between good measurements and bad measurements — scope, model, and data. I also pointed out that these apply to both qualitative and quantitative risk measurement.
The recent 2021 FAIR Conference (FAIRCON21) brought together three experts in corporate governance and risk management to debate how organizations should structure lines of responsibility for cyber risk and security before a cyber loss event
What makes for a high-quality qualitative risk measurement? The answer is simple. We just have to go back to the scope, model, and data elements
Three experienced FAIR™ (Factor Analysis of Information Risk) practitioners got together at the 2021 FAIR Conference (FAIRCON21) to compare notes on best practices for reporting to the board with risk quantification. Their bottom-line advice for a board command performance: Keep it simple and relatable to what the audience already knows.
It was a good problem to have: The board at Government Employees Health Association (GEHA) directed the risk team to start presenting on risk in quantitative terms by the next quarter. A good problem because support from the top would open many doors – but still, the team had to adopt and implement a FAIR™ program from nearly a standing start on a tight timeframe.
There are a lot of blog posts and conference presentations that discuss the differences between qualitative vs. quantitative risk analysis. Most of the time, those discussions focus on the challenges or perceived flaws in one or the other.
