We’re wrapping up a busy year of high achievement at the FAIR Institute, as well as rapid growth in the size, reach and visibility of the FAIR movement. To start, we passed the 15,000 mark in memberships!
Here are just some of the highlights of 2023:
SEC Disclosure Rules Put CRQ Front and Center
New rules from the Securities and Exchange Commission (SEC) on disclosure of material cyber risk created a rush of interest in cyber risk quantification and the FAIR institute as the leader in the field.
The Institute met the moment with the release of a new standard, the FAIR Materiality Assessment Model (FAIR-MAM™) that extended the capabilities of original FAIR on the Loss Magnitude factors.
Based on FAIR-MAM, the Institute also rolled out How Material Is that Hack? an educational tool that estimates the material losses for data breaches recently reported to the SEC. The Wall Street Journal covered FAIR-MAM’s debut and called the Institute “a key risk management body.”
FAIRCON23 Most Robust FAIR Conference Ever
Other sessions focused on GenAI, automation of FAIR analysis, assessing third party risk and other leading-edge topics. In a keynote speech to the conference, Founder and President Nick Sanna announced a “profound transformation” at the Institute in response to member demand to focus on research, especially on
>>Evaluating the effectiveness of cybersecurity controls
>>Integrating compliance and risk management
>>Measuring and determining materiality of cyber incidents
>>Assessing emerging risks, for instance related to AI.
>>Analyzing risks related to third party/supply chain
Expert members organized a Standards Committee and workgroups to carry out new research objectives.
Advances in FAIR Analysis for Controls
The FAIR Controls Analytics Model (FAIR-CAM) brings into the light of quantitative analysis a long-time blind spot in cybersecurity: How controls interact with each to further (or hinder) risk management. Two milestones in 2023: an Institute research team completed mapping the NIST CSF controls to FAIR-CAM and Jack Jones led the first instructional workshop on the model at the FAIR Conference. Coming in 2024: Expect to see the first commercialized version of FAIR-CAM and the beginning of widespread acceptance of this new standard.
Automation of FAIR Analysis Moves Forward
Two barriers have held back FAIR quantitative cyber risk analysis from wider acceptance, the difficulty of acquiring and updating risk data and the skill level and staffing levels required to run FAIR at scale. In July, RiskLens, producer of the most advanced risk quantification platform based on FAIR, was acquired by Safe Security, offering the most advanced AI-powered automated cyber risk management platform. The goal of the combined companies, as Nick Sanna said: “Think automated FAIR.” Safe Security also took on RiskLens’ role as technical adviser to the FAIR Institute.
Significant Publications of 2023
>>Jack Jones authored a new version of Understanding Cyber Risk Quantification: A Buyer’s Guide – more than ever, the marketplace needed the Institute’s guidance to separate the hype from validated, standards-based CRQ.
>>The annual Cybersecurity Risk Report provided an expert view of the key cyber risk themes and threats for each industry based on extensive data-science research.
It’s All About Our Members
Connecting members with members is a core mission of the FAIR Institute, at our conferences, local chapters and online. In 2023, we introduced the community to these members on our blog:
Brenda Thayer, Senior Manager, Technology Risk, at Fannie Mae
Pooya Alai, Senior Cybersecurity Risk Manager, Maersk
Darren Kane, CSO at Australia’s nbn
See you in 2024!