The FAIR Institute held its first quarterly FAIR Conference, responding to members’ desire to “see and hear more case studies throughout the year,” Institute Membership and Programs Director Luke Bader said, kicking off the event "Pragmatic Use Cases for Cyber Risk Quantification.” Attendees got an up-close look at FAIR™ programs at the DOE, Dropbox and Thrivent Financial, plus bonus sessions with James Lam on tips for Board reporting and Jack Jones with an update on his new FAIR Controls Analytics Model (FAIR-CAM™).
We’ll have the videos of the sessions in the FAIR Institute LINK community site soon, but for now, here are some of the highlights of the conference:
James Lam: How to Make a “Wow” Cyber Risk Report to the Board
Lam is a Board veteran (and current Board member of the Institute and RiskLens), as well as a renowned expert on enterprise risk management. Among many actionable tips, he presented six pointers for a “wow” board report, and these overall best practices:
Join the FAIR Institute. It's free to qualified professionals. New members receive a free consultation with a FAIR Enablement Specialist.
Ignatius Liberto, DOE, on What It Takes to Win Over a Large Federal Agency to FAIR Risk Quantification
Ignatius Liberto, Director, Cybersecurity Compliance and Oversight, for the Energy Department, presented on lessons learned in what must be one of the most challenging FAIR launches ever, socializing quantitative risk management to a huge list of semi-autonomous laboratories and other sites in the DOE’s “federated” system. Liberto and team are meeting the challenge in part with an impressive array of documentation that anticipates questions and provides templates for risk analysis – he will be sharing documents on the FAIR Institute LINK community site soon. Whether you are in government or out, these takeaways apply:
Jack Jones: Can We Measure the Risk Reduction Effect of NIST CSF Maturity Scores?
FAIR creator Jack Jones introduced the FAIR Controls Analytics Model (FAIR-CAM) at last October’s FAIR Conference, a breakthrough extension of FAIR that quantifies both direct and indirect effects of controls on risk reduction and sets them in relation to each other, showing their mutual dependencies as they fulfill their functions. Jack gave conference attendees a status report on the next phase of FAIR-CAM development, integrating its use with the popular risk management frameworks, such as NIST CSF.
“I get asked all the time ‘Can we take our NIST CSF scores and plug them into FAIR-CAM?”, Jack said. It’s not so simple, he said, either to know how any NIST CSF subcategory affects risk or what NIST’s maturity scores represent in terms of risk reduction.
One of the problems, Jack said, is that the framework “munges” various control effects into single subcategories.
The takeaway for now: Be cautious of implying risk reduction to adding NIST CSF controls. The good news: Jack and a team of FAIR experts are working on meaningful CSF/FAIR-CAM mapping (and have reached out to NIST to participate).
Thrivent Financial Gets a Real-Time Education in FAIR Risk Analysis of an MFA Outage
Richard Levitt, Lead Information Security Analyst, and Andrew Herbert, Information Security Analyst, Risk Team, for Thrivent Financial were in the process of onboarding the RiskLens platform for FAIR quantitative cyber risk analysis when a real-time use case fell into their laps; the 2021 outage of multi-factor authentication for Microsoft 365 services cut communication for 4,000 employees for four hours. Because of the legwork already done for FAIR program set-up (which they describe in this session), they were able to turn around analysis of the probable risk and recommended mitigations while the outage was still in effect.
First Preview of RiskLens My Cyber Risk Benchmark Tool for Quick Access to Cyber Risk Quantification
Taylor Maze and Ben Gowan previewed upcoming products from RiskLens that promise “cyber risk quantification for all,” offering out-of-the-box CRQ solutions for organizations without the staff, data or tools for a DIY CRQ program. The Industry Cyber Risk Report based on industry-specific data on cyber risk will soon be offered free of charge along with a paid My Cyber Risk Benchmark tool that’s customizable.
Here's a screenshot for My Cyber Risk Benchmark showing one of seven common risk categories covered, with customized results. On the right is the figure for expected financial loss per event and annual probability of event occurrence for the organization; on the left are the same figures for industry averages for benchmarking purposes.
Dropbox Takes a Methodical Approach to FAIR Quantitative Risk Management Program Launch
If you’re in the consideration phase of launching a quantitative risk management program, consider this presentation by Tyler Britton, Quantitative Cyber Risk Manager, Dropbox, as a thoughtful conceptual roadmap. Tyler, who is in month four of a planned 12-month program rollout, starts with the basics, asking you to question why you want to implement FAIR and if your organization is truly serious about it. Then he walks you through pulling together the key elements of data, governance and resources.