Dropbox is taking a methodical and thoughtful approach to implement its FAIR quantitative risk management program, led by cyber risk manager Tyler Britton who shared his insights in a presentation at the first quarterly event in the 2022 FAIR Conference series. If you’re in launch mode, you’ll want to listen carefully to each of the Tyler’s points (listed here with time stamps), as he covers the three must-have supports for a FAIR program: data library, governance and resources.
Watch the video of the Dropbox presentation:
Building a Quantitative Cyber Risk Program Based on FAIR at the Q1 event in the FAIRCON event series for 2022. FAIR Institute membership required to view. Join the FAIR Institute now.
1:26 Defining the FAIR program you want, from ad hoc analyses to a fully quantitative risk management program.
2:21 Challenges of building a FAIR program, from setting the vision to finding executive champions to “taking a hard look in the mirror and asking do those controls really do anything?”
6:12 Three-segment approach to building a FAIR program. “If one of them fails, the program fails.”
- Data Library to feed analysis
- Governance -- the processes and documentation to keep the program resilient
- Resources – the people and tools
8:02 What goes into a data library: information verified by your subject matter experts and easily accessible for quick analysis. It’s important in reporting to stakeholders to “be crystal clear about the data you have” and where you are making educated estimations.
20:02 Resourcing. At least one to three people dedicated to FAIR, with emphasis on “dedicated” plus adequate tools (Dropbox uses RiskLens analytics software and ServiceNow risk registers).
26:07– Tyler wraps up his points on data libraries, governance and resources.