The 2021 FAIR Conference (FAIRCON21) brought together thought leaders and challengers of the status quo for information and technology risk management, so it’s not surprising that conventional thinking got challenged all over. Here are a few of the surprising takeaways:
1. You need to see your cybersecurity controls as a system
Everything from the NIST CSF and other frameworks to vendors pushing single-point security solutions advance the checklist approach to controls – the more the better. Jack Jones, creator of Factor Analysis of Information Risk (FAIR™) introduced the breakthrough FAIR Controls Analytics Model™ (FAIR-CAM™) at FAIRCON that categorizes controls by type and function, shows how they interact, and quantifies their effect on risk reduction singly and together. “If we want to effectively manage a problem space like cybersecurity, we have to account for its complex nature,” Jack said.
Read the white paper An Introduction to FAIR-CAM by Jack Jones (FAIR Institute membership required).
2. Cyber resiliency is about people first, technology second
Resiliency typically gets defined in technical terms, to “develop more survivable, trustworthy systems” as NIST Special Publication 800-160 puts it. That attitude got a real-world test during the pandemic, with sudden shifts to working at home and other major disruptions. “The technology was the easy part; it’s really developing appropriate processes as it relates to our people” that was the challenge, said Betty Elliott, CISO at Freddie Mac in a panel discussion. “Resilience is mostly about human behavior,” said Harold Marcenaro, Digital Risk Officer, at BCP, Peru’s largest bank. “In order to change human behavior, you need two things: one is motivation, the other is less friction…We learned the key is in reducing friction in change, with training, templates, codes inserted.”
3. Security projects should start with stakeholders’ strategic objectives, not the infosec team’s
“Start by identifying the problem or pain points that you’re trying to solve before you go looking for issues,” writes Evan Wheeler, VP of Risk Management at Fintech firm NVDR, Inc. “Too often we will take a list of ‘vulnerabilities’ and try to find a relevant scenario to match, but really the process works best in the other direction.” Evan was inspired to write by the FAIRCON discussion with the FAIR team at Netflix, Tony Martin-Vegue and Prashanthi Koutha, who made the point that the first consideration in cyber risk management should be what goals of the organization are at risk. Learn more: 4 Questions and 4 Action Steps to Get a FAIR Program Off the Ground.
4. Regulators want you to fail a recovery test – if it’s a “good fail”
Federal Reserve cyber specialist Matt Tolbert told the conference that “I know sometimes [financial] firms are concerned about divulging that they didn’t have a successful recovery test. As far as I’m concerned, it’s great the test was performed and if there were failures, that’s a good fail, because I have to believe the firm learned from that experience.” Tolbert said that “I think we are reaching inherent limitations of what controls can and cannot do. So, it’s very important to understand can our controls actually stop certain types of attacks,” and if not, are resiliency measures adequate. Learn more: 5 Metrics for Cyber Risk Resilience.