10 Bits of Wisdom on Quantitative Cyber Risk Management from the FAIR Conferences
The FAIR Institute’s annual FAIR Conference brings together the world’s most experienced thinkers and doers in cyber risk quantification. To watch FAIRCON’s presentations and panel discussions is an education in itself – and they’re all available on video in the Resource Library of the members section of the FAIR Institute website (membership is free to qualified professionals).
Even better, you can attend the 2022 FAIR Conference in person in Washington, DC, or online, September 27-28. Go register now.
As a sampling of what to expect at FAIRCON22, here are 10 moments of wisdom from FAIRCONs past:
1. “Five minutes spent verbally going through the taxonomy has probably helped me save hundreds of hours.”
--Sarina Hothi, Senior Program Manager, DoorDash, 2020 FAIR Conference
“People come in with an edge case and say XYZ is a huge problem and now the end of the world is coming,” Sarina said. By using FAIR to draw out probable outcomes of loss events, “more often than not, we come to the conclusion that the issue at hand is not really a priority.”
2. Good measurement doesn’t count without good communication.
--Phil Venables, CISO, Google Cloud, 2020 FAIR Conference
“As risk professionals we can under-rate the human factors of delivering our results and figuring out the organizational dynamic, so they are best consumed.”
Watch a video about FAIRCON22
3. Security projects should start with stakeholders’ strategic objectives, not the infosec team’s.
--Evan Wheeler, Senior Director, Capital One, 2021 FAIR Conference
“Start by identifying the problem or pain points that you’re trying to solve before you go looking for issues. Too often we will take a list of ‘vulnerabilities’ and try to find a relevant scenario to match.”
4. Don’t let the perfect get in the way of good risk analysis
--Phil Venables, CISO, Google Cloud, 2020 FAIR Conference
“In certain aspects of the information security profession, it seems to be dismissed unless it can be a single perfect model that has 100 percent reliability…In no other field of risk management is such a high bar set…The education challenge we have in this space is to help people understand the process of using these things as opposed to hoping there’s going to be some sort of magic oracle that outputs a decision.”
5. Map your scenarios to a standard controls model.
--Gideon Knocke, CISO, realworld one, 2021 FAIR Conference
“After the question, ‘how much risk do we have?’ there is always the question, ‘now what do we do with it?’”
6. The more uncertainty, the more data you need? Don’t believe it.
--Douglas Hubbard, Author, How to Measure Anything, 2019 FAIR Conference
”The more uncertainty you have the more uncertainty reduction you get from the first few [risk analyses]…The belief that we have more uncertainty, so we need more data – mathematically just the opposite is true.”
7. Subjective risk estimates can be great with the right training.
--Douglas Hubbard, Author, How to Measure Anything, 2019 FAIR Conference
Hubbard recommended training subject matter experts in calibrated estimation and how to avoid common errors and biases. “With training, 85% of them are statistically indistinguishable from bookies. Bookies are very good at this. Physicians are terrible at estimating probability.”
8. Cyber resiliency is about people first, technology second
-- Betty Elliott, CISO, Freddie Mac, 2021 FAIR Conference
Reflecting at all the IT challenges brought on by the pandemic, “the technology was the easy part; it’s really developing appropriate processes as it relates to our people” that was the challenge.
9. The 3 questions boards should ask CISOs
--Chris Inglis, US National Cyber Director, 2019 FAIR Conference
-
Are you defending the business or something less than the business like the digital infrastructure?
-
Are the people authorized to take risk aligned with the people charged to mitigate?
-
Have you made what you are doing defensible (by quantification)?
10. Position security as an enabler of corporate strategy
--Shelley Leibowitz, Board Member, Morgan Stanley, BitSight, 2020 FAIR Conference
“Security has to be embedded in the front end of everything you do, and you have to think of it as a core part of your strategy or it will be the business plowing ahead and security saying ‘no’ and that’s a losing proposition.”