5 Cyber Risk Management Insights from 5 Cybersecurity Leaders at FAIRCON23
Straight from the front lines of cybersecurity, the recent 2023 FAIR Conference (FAIRCON23) pulled together a panel of CISOs and other cybersecurity leaders from Mastercard, Rolls-Royce (the jet engines maker), US Department of Energy, Expedia Group and Fitch Group (the credit rating company) to share insights and trade war stories.
Watch the video now:
FAIR Institute Contributing Membership required
Panel: What Models Do We Need to Improve Risk Management in the 21st Century?
>>Moderated by Robert Rodriquez, Chairman and Founder of SINE,
>>Paul Selby, CISO at US Department of Energy
>>Jennifer Buckner, SVP Technology Risk Management at Mastercard
>>Nathaniel Davis Jr, Vice President, Corporate & Defense Security at Rolls-Royce
>>Ian Rathie, CISO at The Fitch Group
>>Kurt John, CSO at Expedia Group
Here are a few of the insights into cyber risk management they discussed:
1. Board Reporting TipsKurt John:
“Boards typically ask 2 questions, how at risk are we because they don’t typically know to ask more specific questions and the second question is how we compare to our peers.
“I give them three things.
--First, here are fundamentals that the industry recommends we do and where we are lacking.
--Second, very specific to the business objectives. Our big bet for the next 24 months is Product A that relies on this technology and if we fail at that the entire launch is going to be a dud. Therefore, we are trying to spend some money in this space to secure this.
--Third, in cases where similar companies of the size and scale we are, have experienced a breach around a similar product that we are launching, here is what the impact has been, $100 million, whatever the case may be. Very quickly, the board can make a decision because the upside of Product A is $300 million. Similar breaches have cost companies $150 million; I’m asking for $10 million.”
2. Value of Tabletop Exercises
Jennifer Buckner:
Buckner, a retired US Army Brigadier General, recommends “the discipline in exercising with the people who make decisions, who are on the front lines, who are in the boardroom, and currently that’s not just an internal exercise. Now, that has to be with our critical suppliers as those perhaps introduce single points of failure, as well as customers. So that when we are called to react, we have relationships, we have practice, and we can certainly adapt to the specific situation. That premise that we would exercise what we are expected to do in crisis, is a common theme from the military and government to industry.
3. Risk Management on the Supply ChainPaul Selby:
“On the cyber side of the supply chain, how do we make sure that what we get is not grey market material, that there’s no backdoors built into it. There’s no over-arching regulatory body that’s doing IV&V [independent verification and validation], that says the source code was built where it said it was, that we’ve done the hashing of it to make sure there were no changes from when it was written to when we got it. Those are the things that I think we really need to look at, not just country of origin and where is the code being written. We all know there are ways to make it look like it’s made in America… So, I think we really could do better, and we haven’t really focused on that.”
4. Their Security Technology Wishlist
Kurt John: “AI that can measure the ethics and efficacy of
AI.”
Jennifer Buckner: “Productizing trust. There are a lot of siloed solutions around…putting it all together for a trust and assurance picture.”
Ian Rathie: “How to centralize vendor risk assessments so you don’t have to build out a huge infrastructure.”
5. The Role of FAIR
Paul Selby:
“We are no longer the tech guys or gals in the background, talking bits and bytes, feeds and speeds. If we come into the board room talking like that, you see the eyes roll back and they don’t understand. This is where organizations like the FAIR Institute help push us forward. We start talking a common language and we start being able to put the quantitative analysis behind it and say, you don’t do this, this is the risk. Allowing us to have those kind of conversations changes the game for us.”
