Every year, the RSA Conference is a snapshot of the ever-evolving State of the Cybersecurity Profession (and the vendors who market to it), and this year the State is…more risk- and risk-quantification-aware than ever. Starting with RSA President Rohit Ghai’s keynote remarks that “we are maturing in terms of quantifying cyber risk with standards like FAIR…Cyber risk quantification is a hot field” – and down to the exhibition area where Evolver’s Chip Block found vendors had “somehow turned everything from network mapping tools to endpoint protection products into risk platforms.”
We asked Chip and four other FAIR pros (and RSAC veterans) for their takes on the conference and what it said about the profession’s growing acceptance of FAIR, and general maturity level (or maturity gap).
Chairman, FAIR Institute
Jack spoke at the conference on “From No Data to Drowning in Data – A Reality Check”
“It was incredibly gratifying to see the progress our profession is beginning to make toward becoming a more mature and effective discipline. Just a couple of years ago many people at the conference were still buried in the “You can’t quantify cyber risk” quagmire, and now there’s strong and growing recognition that not only can it be done, but that it must be done.
“As recognition grows that risk needs to be our focus a profession, we need to be wary of the snake oil and superficial solutions that will inevitably also become part of the solution scene. Many of these will be well-intentioned, but nonetheless can lead to several forms of bad outcomes, including: disillusionment in quantification, a false sense of efficacy, and poor risk management. As risk solutions are brought to the market, they need to be open to examination and they need to be able to defend their results.”
Security Lead Consultant, ADP
Marta spoke at the conference on “Creating Order from Chaos: Metrics That Matter”
“After an eventful 2017, it was great to sit through an opening keynote [by Rohit Ghai] that focused on the silver linings in security – not because our industry is oblivious, but because we are coming up with and implementing ideas and approaches that will help us make better decisions and get ahead of the curve and stop playing catch up. Of course, FAIR is a great example of such ideas.
“In general, I have been observing a shift from ‘we need security to be a discussion topic’ to a point where security is a discussion topic but we are struggling to have a conversation [based on shared understanding]. I take this as a sign that we are moving in the right direction – as I heard by multiple speakers, it is a matter of maturity and other industries have been through this as well. It is very exciting to be part of this process, I can’t wait what the landscape looks like in 5 years!”
Director, Cyber Risk, TIAA
Co-author with Jack Jones of the FAIR book, Measuring and Managing Information Risk
Jack spoke at the conference on "Implementing a Quantitative Cyber-Risk Framework: A FinSrv Case Study"
"For me, the biggest news out of RSAC was when Rohit Ghai, RSA President, mentioned FAIR in the opening keynote. At a conference where every vendor is purporting to have the key to risk-based decision making, its comforting to know that FAIR practitioners have been ahead of the curve in articulating quantitative cyber risk to their businesses. In Rohit's "Cybersecurity Silver Linings" keynote, he highlighted the maturity in the cyber insurance industry and attributed it to the FAIR quantification standard and the bow-tie method. The rest of the conference was replete with sessions and panel discussions of quantification using FAIR in practice and discussions of cyber value-at-risk. Indeed, at a conference where the world goes to talk security, hundreds spent their time learning to do so in the language of risk."
Founder and CEO RiskRecon
“Peek into most any IT shop and you will find people managing laundry lists of security issues - not risk. Too often the laundry list item priorities are based on the opinion of the manufacturer of the issue - the commercial vulnerability scanner, the third-party security assessor, the internal auditor, the government regulator, or the PCI assessor. The entire dynamic of information security transforms when people apply FAIR principles to manage risk. Instead of just managing based on issue severity, organizations allocate resources based on a defensible assessment of probabilities and magnitudes of bad outcomes.
“At the FAIR Breakfast, it was fascinating to hear the broad contexts to which FAIR is being applied. FAIR isn't just a framework for managing information security risk. Like economics, it is applicable to an almost universal set of use cases - warfare, shipping routes, insurance, politics, natural disasters, and others.
“We are currently living in the Middle Ages of medicine, practicing the equivalent of bloodletting to manage risk. FAIR provides a framework for far better allocation of precious economic resources.”
Managing Director, Cybersecurity Framework & Risk Assessment at Charles Schwab
"This year’s RSA conference topics and speakers highlighted the shifting focus from the latest vulnerabilities, tools, techniques and attribution (while those certainly have their place) to how do we know we are doing enough of the 'right things' from a security perspective to support the business objectives. This change in focus is representative of the evolving conversations at the board level and in a world of black and white hats, it is exciting to see FAIR concepts and methods increasingly used to help the business to 'deal with the grey'".
Vice President at Evolver
(Following is an excerpt from Chip’s LinkedIn post “Risk, Risk Everywhere: Reflections on RSA Conference 2018”)
“Having attended this conference for years, every year has another buzzword feel as every company is trying to jump on the newest trend to capture the imagination of a buying community that is still pretty immature and not exactly sure what to buy.
“We have passed the “machine and AI” trend of last year and have now entered “risk management” land. These range from Rohit Ghai’s opening keynote call for business-based cybersecurity to numerous new vendors on the showroom floor touting that they have the best way to visualize and manage cyber risks.
“The problem is all of these companies have a different definition of risk. One company stated that their network analysis tool can immediately identify risks by showing where all of the users are on the network and if there are any anomalies in normal operational behavior. Last year this was called a network mapping tool but this year it is a ‘risk management platform’.
“Why does it matter? It matters because it confuses non-cybersecurity people at almost all sizes of companies…When network mapping tools are being confused with corporate risk discussions, the end result is lack of credibility for cybersecurity professionals.
“I had the pleasure of being on a panel with Jack Jones, author of the Factor Analysis of Information Risk (FAIR) model, on Wednesday of RSA week. He clearly presents in the FAIR methodology that the definition of a risk is the ‘loss event frequency times the loss magnitude’. The critical term here is ‘loss’. This is ‘loss’ in business terms -- namely money. At RSA, many of the vendors equate any technical finding as a risk, with no connection to a loss factor.
“When I described this need to identify risks in terms of business loss, one person said to me ‘but that would make every customer different’. That is the point, customers are different and vary by business objectives and markets.”