FAIR Institute Chairman Jack Jones laid down a challenge to the FAIR Institute’s annual breakfast meeting during the Gartner Security & Risk Summit this week near Washington, DC. “There is no evidence that existing risk measurement methods are effective,” he said, pointing to the continuing use of qualitative risk assessments or compliance with frameworks.
“In order to evolve and mature as a profession, we have to recognize and correct what isn’t working,” he told a full room of FAIR practitioners and learners. The goal should be defensible risk measurement that “does not have significant intrinsic flaws in scoping, modeling or the using of data” – three benefits that Factor Analysis of Information Risk (FAIR™), the standard for risk quantification, provides. Judging by the growth of the FAIR Institute, now past 14,500 members, that future is already here, though unevenly distributed.
Jack discussed two more trends in risk measurement:
>>Automation: He cautioned that cybersecurity controls have nuances and dependencies that automated risk analysis must account for to produce accurate results.
>>Artificial Intelligence: AI can only be as good as its training; it is particularly vulnerable to bias and opaqueness in training data.
“In order for automation and AI to generate results we can trust, they can’t rely on the commonly used methods of the past and present,” he said.
That’s where the FAIR Controls Analytics Model (FAIR-CAM™), recently introduced by Jack, comes in.
“The controls landscape is the most complex and least understood dimension of cybersecurity. FAIR-CAM resolves a huge gap in our ability to understand, measure, and manage control efficacy and risk. It also provides the means to responsibly automate and apply AI to risk analysis.” Learn more about FAIR-CAM.
The breakfast gathering also heard from Brenda Thayer, Senior Manager, Technology Risk, Fannie Mae, who presented a case study on how her team advanced the organization from ineffective qualitative risk measurement, established FAIR-based governance practices, defined scenarios for risk analysis, prioritized risks, measured risk reduction over time and used FAIR-CAM to evaluate controls. Watch a Meet a Member video conversation with Brenda.
FAIR Institute sponsors Ostrich Cyber-Risk and RiskLens supported the FAIR Institute breakfast event.
Join the FAIR Institute as a Contributing Member. Receive invitations to exclusive events such as the recent breakfast meeting, discounts to FAIRCON and on FAIR training courses, early access to new Institute content materials, access to the FAIR community Slack channel and a copy of the FAIR book Measuring and Managing Information Risk: A FAIR Approach.
