Front-line experience, freely shared among friends – that about sums up the spirit of the speakers at the recent FAIR Conference 2017, a lineup of leading FAIR practitioners who were amazingly candid about their success and challenges in spreading the FAIR risk revolution to their organizations.
You can view videos of all the sessions on the FAIR Institute Member Resources Page. Here are the highlights from some of the sessions.
Welcome from Nick Sanna, President
Nick kicked off the conference on a note of wonder: Started less than two years ago, the FAIR Institute has grown to more than 2,000 members. “What started as a website has become a real movement,” he said.
The three drivers behind the movement, according to Nick:
Jack defined maturity as “enabling the organization to cost effectively achieve and maintain an acceptable level of risk.” He asked for a show of hands from the audience of those who thought they’ve hit that level of maturity. No hands went up. And that pretty much captured what the survey will show. “We aren’t on average as an industry very good from a maturity perspective,” Jack concluded.
Jack identified five challenges facing FAIR evangelists trying to up the maturity level of their organizations.
“As we go out there and set higher expectations for people around us that’s going to raise the tide,” Jack urged the audience.
Carl Conrad, Manager, Enterprise Architecture Management Systems, Chevron
Joel Baese, Head of Information Security Risk Assessment and Analysis, Walmart
Drew Simonis, Senior Director, Cyber Risk & Governance, Hewlett Packard Enterprise
The panelists agreed with Drew that reset is “a cultural change.” At HPE that means “moving away from the notion that cyber risk cannot be measured. It’s getting to a place where people are bringing us problems to avoid.
“What we saw in the past was ’This is the path I’m going to take. You tell me how bad that path is, and maybe you can throw some compliance and controls on top of it.’ We’re trying to move to a point where we’re part of the decision-making process.”
At Chevron, Carl said, a key to reset has been to make sure that risk-based decision-making is “part of the governance process.”
The company operates a cross-functional cyber security leadership team, including non-security professionals, who “make sure decisions get cascaded back into their organizations…We bring our top risk themes into the discussion. We convert [FAIR analyses] back to red-yellow-green [heat maps] so they don’t see the numbers.”
Carl said the process has enabled the organization to come to agreement on what are the top risks, so ultimately “we’re allocating money based on the analysis up front. At the end of the day, if you’re not allocating money based on the highest risk because of your analysis, then you aren’t enacting change.”
Packed with tips and laugh-out-loud lines from three FAIR evangelists at Bank of America:
David Sheronas, Vice President, Global Information Security
Jack Whitsitt, Senior VP, Cyber Security Risk
Ryan Critchfield, Assistant Vice President
Facing “a massive risk culture with lots of vested interests”, David said, the small team of FAIR insurgents quickly realized that “a frontal assault is not recommended” and instead looked for “ways of changing value equations in a non-threatening way and advantageous to all manner.”
David joked that the better way to respond to a believer in the red-green-yellow, qualitative approach would be “Fascinating! All those colors and possibilities!” Then segueing into an explanation of FAIR as “a risk forecasting sundae with an ALE cherry on top” sure to “lead to widespread recognition and promotion for you and your whole team.”
More seriously, David advised going for small victories to implant FAIR into existing tasks. At B of A, his
team grabbed on to the opportunity of “formulating intake questions for the risk management process”, such as third-party vendor evaluation, using types of loss events from FAIR. “Use the FAIR ontology wherever possible,” said. “If you can demonstrate value, you will be accepted.”
David Sheronas was honored with the FAIR Champion Award at the FAIR Conference, along with Roland Cloutier, Vice President and CISO at ADP, winner of the FAIR Business Innovation Award.
Another lively, candid conversation, this time with five experts on both sides of this communication divide.
Wade Baker, founder of Cyentia Institute and adjunct professor at Virginia Tech, author of the Cyber Balance Sheet survey on CISO-Board communication.
Yong-Gon Chon, CEO of Focal Point Data Risk
Austin Adams, Board Member, KeyCorp, CommScope, and former CIO, J.P. Morgan
Christopher Porter, CISO, Fannie Mae
Kim Jones, Professor, Arizona State University, former CSO, Vantiv
Among the many bits of wise advice from this panel:
For more on this session, read this report.
Serious note-taking going on as Security Lead Marta Palanques of ADP answered questions on many minds about how to bring the benefits of FAIR to a risk process based on GRC.
Marta’s advice:
Marta’s team has also had success helping the business choose a risk response with FAIR by comparing alternatives based on how they would change the loss exposure, then looking to the cost and time that would be required – a sort of ROI analysis using FAIR. “You help the business dissect a bigger problem into more palatable chunks and identifying which of those small chunks of work are actually worth it” – a process, she said, that often leads to adding more detail to the GRC.
Isaiah McGowan, Senior Risk Consultant, RiskLens, who’s trained hundreds of FAIR practitioners, got into the use and abuse of that key communication tool for risk analysts: metrics.
According to Ike, metrics communicate
He covered some key metrics that can be analyzed by FAIR:
Bryan Smith, Chief Technology Officer at RiskLens, the technical adviser to the FAIR Institute, presented a long-awaited tool: the FAIR-U web app, the first training app for FAIR from the FAIR Institute, big news for students learning quantitative risk analysis through the FAIR University Curriculum or FAIR Certification Training or for companies looking to evaluate FAIR before taking the plunge on a paid solution.
The head of the Internet Security Alliance, led the audience through an in-depth look at cybersecurity from the political point of view. The ISA is pushing Congress and the Adminstration toward a 12-Step Program to “Think Differently About Cyber”, staring with step #1 “attack the problem with greater urgency.” At step #6, “pilot test the NIST framework for cost-effectiveness,” FAIR could have a vital role to play.
A distinguished panel from the regulation and compliance world:
Moderator: Bill Barouski, Senior Vice President, Deputy CISO, Northern Trust
Jay Restel, Supervision and Regulation Department, Federal Reserve Bank of Cleveland
Nicole Clement, Accenture Security Group, Former OCC
Kirk Herath, Vice President, Chief Privacy Officer, Nationwide Insurance
Bill kicked off the session by asking audience members to stand, then sit down based on how many regulators they deal with – when the regulators count reached 10 there were still plenty of standees.
How realistic is it to believe that we can streamline and harmonize regulation “so organizations don’t have to deal with this cacophony?”, Bill asked Jay Restel from the Fed.
“We’re closer on harmonization,” in the banking sphere, Jay replied, now that the 18 largest banks have come together to work with regulators on solutions, though he didn’t think there would be any significant movement till 2020. He predicted that, along with NIST, “FAIR becomes an important piece to leap over to the harmonization” as regulators coalesce around a standard.
This panel…
Evan Wheeler, Director, Risk Management, MUFG Union Bank
David Badanes, Cyber Program Director, AES
David Musselwhite, Former Team Leader, Enterprise Risk Management, Quicken Loans
…arrived with an important reminder: FAIR is for operational risk, not just cyber risk.
“We are trying to break down silos between IT and OT,” said David Badanes from AES, the power company that delivers electricity in 17 countries. “Technology is technology whether it’s the operations that run a SCADA [control] system for a power plant or the back end of your email, it’s all technology that we need to protect.” He presented as a case study a FAIR analysis on protecting against risk from the USB drives commonly used in the utility industry to update systems that don’t connect to the internet – with some dramatic loss savings.
David Musselwhite, who recently joined RiskLens as the training manager, chose as his use case, a potential loss exposure that most audience members had no clue their companies face: the ink in large-size, corporate printers is in fact a hazardous chemical, and an OSHA inspect could levy a fine. His point: “FAIR can apply to any type of loss as long as you appropriately scope the scenario. Wherever there’s loss or potential for loss, FAIR can help you make better decisions.”
Nick wrapped up by asking everybody to continue the spirit of sharing at the conference by participating in the Institute’s online and local activities. “As long as that continues, this will become an even stronger movement.”
Jack urged the conference attendees to go back to their organizations, question all the accepted norms of risk analysis and management and “begin, if only gently, pushing those around you to raise their game. ..You folks really are the vanguard for how this progresses in the industry.”