FAIR Conference 2019 Day 2: Advice on 3rd Party Risk, Pitching the Board, ERM, IRM and Messy Data from Doug Hubbard, Gartner and More

James Lam and Chris Inglis FAIRCON19Like Day One of FAIRCON19, the second day of the FAIR Institute’s annual gathering covered a wide range of top-of-mind topics for cybersecurity and risk professionals, from the stage and out in the hall for peer-to-peer mind-sharing over coffee and churros. Here’s a quick look at the day at the Gaylord National Convention Center Gaylord National Resort & Conference Center in National Harbor, MD:

John Wheeler, Global Research Leader - Risk Management Technology at Gartner, the influential technology consulting firm, gave the keynote address “Why Digital Business Needs IRM [Integrated Risk Management] and Risk Quantification.” John’s premise: “digital business” isn’t just about running software and storing data anymore, it’s the thorough transformation of businesses through new business models enabled by digital.

At first glance that just raises digital risk, but Gartner argues that it equally raises the flip side, of digital opportunity, and risk professionals need to start thinking of risk as running in both directions. In effect, this is an even stronger case for risk quantification in financial terms. Wheeler shows integrated risk management – with the different risk disciplines centered on digital risk management in this chart:

FAIRCON19 Future of Integrated Risk Management - John Wheeler - Gartner

Gartner foresees 50% of large enterprises on an IRM system by 2021.

Also on Day Two of FAIRCON:

FAIR Institute Announces 2019 Winners of Annual Excellence Awards at FAIR Conference

The “Use Case Panorama: How Quantification Enables Risk-Aligned Decision Making” brought together FAIR practitioners Alex Rogozhin of BB&T, Laura Voicu of Swisscom, Luke Domet of Fidelity Investments and India Sutton of Daimler Mobility AG, who went into detail on how they started their FAIR programs – the common thread was start small but be prepared to extend once the organization realizes the value of quantification. As Alex Rogozhin said, “FAIR analysis has this byproduct impact – looking at system holistically.” Luke Domet described how his team took on a massive task, risk analysis of 8,000 applications run by Fidelity. Based on interviews with stakeholders, they developed five standard risk scenarios to apply to all applications and mapped those to FAIR.

FAIR analysis owes some key components to the work of statistician Douglas Hubbard – particularly calibrated risk estimation – so Hubbard’s appearance to talk about “How to Manage Risk with Limited and Messy Data: Overcoming the Myths” was kind of a homecoming. Some of Doug’s pithy advice:

  • “High payoff measurements tend to be relatively early. The more uncertainty you have the more uncertainty reduction you get from first projections.”
  • “A model outperforms a human expert even when based on a human expert to begin with.”
  • “Your team should be ‘belief updaters’ [flexible thinkers]. They make better estimators.”

Doug also made the case that the supposedly most difficult thing to measure in a data breach – reputation loss – is actually the easiest: “You have all the data. There’s no such thing as secret reputation damage!”

James Lam Headshot 2Pen Testing Your Board Pitch” starred two veterans of corporate boards, James Lam director at E*TRADE and Chris Inglis, director at FedEx, KeyW and Huntington  Bank. Each had some handy tips for board presentations:

James suggested five things for a killer board report:

  1. Tell them about the cyber threat environment
  2. Tell them our security posture from the outside looking in
  3. Our security posture from the inside looking out (NIST maturity or time to detect a breach, for instance)
  4. Cyber risk exposure in quantified terms
  5. Are we making the right decisions, based on cybersecurity scenarios?

Chris had his own list of questions for boards to ask:

  1. Are you defending the business or something less than the business like the digital infrastructure?
  2. Are the people authorized to take risk aligned with the people charged to mitigate?
  3. Have you made what you are doing defensible (by quantification)?
  4. Are you actually defending it (are defenses working as they should)?
  5. Have you used all the power available to you? (For instance, within the organization or law enforcement or pen testers.)

Wade-Baker-CyentiaIf there was a message in the session “Managing Organizational and Third-party Risk in the Age of Digital Transformation” with Jill Morganwalp of E*TRADE, Tom Baine from RiskRecon, Chris Golden of Horizon Blue Cross Blue Shield of New Jersey and Wade Baker of Cyentia Institute, it was that third party vendor risk management is still a frontier. Wade said that 84 percent of the organizations in a RiskRecon/Cyentia survey hosted a critical asset with a cloud provider, and that means giving up considerable control of risk management, compared to on-premises. Some war stories: Big cloud vendors will strike out your attempt to write in a right-to-audit in your contract…and when you cut ties with a cloud vendor there’s actually no way to make sure it’s turned the service off and returned all your data.

And in conclusion...

At the closing, Jack Jones thanked the crowd for its “courage” in continuing to push forward with the quantification revolution, despite the headwinds – “It gives me the energy to continue to work in the ways that I can.” And Nick let everyone know that they will likely be hearing from a new group at the FAIR Institute, the FAIR Enablement Specialists, who will “ask you what you are trying to accomplish with the FAIR Institute and how can we help you.”


Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37