We’re wrapping up a busy year of high achievement at the FAIR Institute, as well as rapid growth in the size, reach and visibility of the FAIR movement. To start, we passed the 15,000 mark in memberships!
Here are just some of the highlights of 2023:
SEC Disclosure Rules Put CRQ Front and Center
New rules from the Securities and Exchange Commission (SEC) on disclosure of material cyber risk created a rush of interest in cyber risk quantification and the FAIR institute as the leader in the field.
The Institute met the moment with the release of a new standard, the FAIR Materiality Assessment Model (FAIR-MAM™) that extended the capabilities of original FAIR on the Loss Magnitude factors.
Based on FAIR-MAM, the Institute also rolled out How Material Is that Hack? an educational tool that estimates the material losses for data breaches recently reported to the SEC. The Wall Street Journal covered FAIR-MAM’s debut and called the Institute “a key risk management body.”
FAIRCON23 Most Robust FAIR Conference Ever
October 17-18, 2023, in Washington, DC – it’s hard to know where to start with the packed agenda of the 2023 FAIR Conference. David Hirsch, chief of cyber enforcement for the SEC explained the new disclosure rules in a session moderated by Wall Street Journal editor Kim Nash. Two leading cybersecurity officials, Chris DeRusha, CISO at the Office of Management and Budget and Eric Goldstein, executive assistant director for cybersecurity at CISA, made news in a session that covered federal policy for artificial intelligence (also covered in a Journal article).
Other sessions focused on GenAI, automation of FAIR analysis, assessing third party risk and other leading-edge topics. In a keynote speech to the conference, Founder and President Nick Sanna announced a “profound transformation” at the Institute in response to member demand to focus on research, especially on
>>Evaluating the effectiveness of cybersecurity controls
>>Integrating compliance and risk management
>>Measuring and determining materiality of cyber incidents
>>Assessing emerging risks, for instance related to AI.
>>Analyzing risks related to third party/supply chain
Expert members organized a Standards Committee and workgroups to carry out new research objectives.
More conference news was made in 2023: The FAIR Institute hosted its first international gatherings, the Middle East Summit in Amman in March and the Europe Summit in London in June. And two seminars conducted by FAIR creator Jack Jones introduced audiences at the RSA Conference to FAIR and CRQ.
Advances in FAIR Analysis for Controls
The FAIR Controls Analytics Model (FAIR-CAM) brings into the light of quantitative analysis a long-time blind spot in cybersecurity: How controls interact with each to further (or hinder) risk management. Two milestones in 2023: an Institute research team completed mapping the NIST CSF controls to FAIR-CAM and Jack Jones led the first instructional workshop on the model at the FAIR Conference. Coming in 2024: Expect to see the first commercialized version of FAIR-CAM and the beginning of widespread acceptance of this new standard.
Automation of FAIR Analysis Moves Forward
Two barriers have held back FAIR quantitative cyber risk analysis from wider acceptance, the difficulty of acquiring and updating risk data and the skill level and staffing levels required to run FAIR at scale. In July, RiskLens, producer of the most advanced risk quantification platform based on FAIR, was acquired by Safe Security, offering the most advanced AI-powered automated cyber risk management platform. The goal of the combined companies, as Nick Sanna said: “Think automated FAIR.” Safe Security also took on RiskLens’ role as technical adviser to the FAIR Institute.
Significant Publications of 2023
Besides the FAIR-MAM standard, the Institute published two significant works to advance risk awareness:
>>Jack Jones authored a new version of Understanding Cyber Risk Quantification: A Buyer’s Guide – more than ever, the marketplace needed the Institute’s guidance to separate the hype from validated, standards-based CRQ.
>>The annual Cybersecurity Risk Report provided an expert view of the key cyber risk themes and threats for each industry based on extensive data-science research.
It’s All About Our Members
Connecting members with members is a core mission of the FAIR Institute, at our conferences, local chapters and online. In 2023, we introduced the community to these members on our blog:
Margarita Rivera, Senior Director - Information Security for Lowe's Companies, Inc.
Brenda Thayer, Senior Manager, Technology Risk, at Fannie Mae
Pooya Alai, Senior Cybersecurity Risk Manager, Maersk
Darren Kane, CSO at Australia’s nbn
See you in 2024!
