Everything from the NIST CSF and other frameworks to vendors pushing single-point security solutions advance the checklist approach to controls – the more the better. Jack Jones, creator of Factor Analysis of Information Risk (FAIR™) introduced the breakthrough FAIR Controls Analytics Model™ (FAIR-CAM™) at FAIRCON that categorizes controls by type and function, shows how they interact, and quantifies their effect on risk reduction singly and together. “If we want to effectively manage a problem space like cybersecurity, we have to account for its complex nature,” Jack said.
Read the white paper An Introduction to FAIR-CAM by Jack Jones (FAIR Institute membership required).
Learn FAIR Quantitative Risk Management through the FAIR Institute
“Start by identifying the problem or pain points that you’re trying to solve before you go looking for issues,” writes Evan Wheeler, VP of Risk Management at Fintech firm NVDR, Inc. “Too often we will take a list of ‘vulnerabilities’ and try to find a relevant scenario to match, but really the process works best in the other direction.” Evan was inspired to write by the FAIRCON discussion with the FAIR team at Netflix, Tony Martin-Vegue and Prashanthi Koutha, who made the point that the first consideration in cyber risk management should be what goals of the organization are at risk. Learn more: 4 Questions and 4 Action Steps to Get a FAIR Program Off the Ground.
Federal Reserve cyber specialist Matt Tolbert told the conference that “I know sometimes [financial] firms are concerned about divulging that they didn’t have a successful recovery test. As far as I’m concerned, it’s great the test was performed and if there were failures, that’s a good fail, because I have to believe the firm learned from that experience.” Tolbert said that “I think we are reaching inherent limitations of what controls can and cannot do. So, it’s very important to understand can our controls actually stop certain types of attacks,” and if not, are resiliency measures adequate. Learn more: 5 Metrics for Cyber Risk Resilience.