The 2018 FAIR Conference kicked off at Carnegie-Mellon University in Pittsburgh with a session-packed day that was a crash course in strategizing and implementing a risk-based, business-aligned security strategy. Some highlights:
FAIR Institute Chairman Nick Sanna gave a State of the Institute talk that wrapped up the remarkable string of events in the past year-plus, all pointing towards FAIR and risk quantification: The SEC’s revised guidance on cybersecurity disclosure, implementation of the New York Department of Financial Services reporting standards for cyber, EU’s GDPR going into effect, RSA launching Archer CRQ, and Gartner’s statements of support for quantification ("they actually went to the point of saying GRC is dead”). In the same period, Institute membership passed 3,000 and 30% of the Fortune 100 are using FAIR.
This week, the Global Resilience Federation (GRF) and the Institute announced a partnership to train GRF members in FAIR. And coming up in November, the Institute will brief the new Department of Homeland Security National Risk Management Center on FAIR and launch a new Federal Government chapter.
FAIR model creator and Institute Chairman Jack Jones keynoted on The Next Frontier in Risk Management. “We’re beginning to make great progress on the risk measurement frontier,” Jack said but “we have to open a second frontier to change views of what ‘mature’ means”, particularly working to show organizations the limitations of System 1 thinking applied to risk”—citing the shorthand for fast and reflexive thinking or “easy buttons,” as Jack put it, that define traditional, qualitative approaches to cyber risk analysis.
Jack presented some findings from the FAIR Institute’s 2018 Risk Management Maturity Benchmark Survey, which rated organizations on markers such as use of proper risk terminology or a risk model. The bottom line: the surveyed companies were still at a low level of maturity though improved from last year’s survey.
“The opportunity exists to dramatically improve the state of our profession,” Jack concluded. “Let’s do this!”
In the panel discussion Shifting the Discussion to Cost-Effective Decision Making, with Jack Jones as moderator and panelists La'Treall Maddox of Cisco, Joel Baese of Walmart and Chris Correia of Ascena Retail Group, Jack asked what was the turning point that won acceptance for FAIR in their organizations. For Cisco, “it was a matter of proving out the defensibility of the mathematics, of the statistics around how this is done.” At Ascena, it was about bringing the retail philosophy of “speed to market” to risk analysis.
For Walmart, it was “showing how it makes their lives easier,” Joel said. Case in point: Convincing the vulnerability management people that “things that were risk were no longer risks” meant they didn’t need to set up “war rooms” when the need wasn’t critical, showing them how risk quantification “keeps them home on weekends.”
Case Study: Reporting to the Board: What Got You Here, Won't Get You There, a solo presentation by Omar Khawaja, CISO at Highmark Health was a master class in communicating risk to the board and the business. Among many nuggets of advice:
- Boards trust the word of the National Association of Corporate Directors, so peg your reporting to the five principles of the NACD Director's Handbook on Cyber-Risk Oversight (which are about taking an enterprise level view of infosecurity)
- Have the confidence to answer “I don’t know” to board questions – but always follow up.
- Don’t spout a lot of cybersecurity metrics. “The point is to make them feel like it’s being managed… All they need to know ‘Is it getting better or worse?’.”
- “Align your reporting to your organization’s maturity and culture.”
Panel: How to Communicate the Value of FAIR to Internal and External Stakeholders, featured Rachel Slabotsky of RiskLens as moderator, Greg Rothauser of MassMutual, Allison Seidel of PNC, Steve Reznik of ADP and Brandon Young of Charles Schwab. Greg gave a quick case study of how MassMutual met the new risk analysis requirements from the New York State Department of Financial Services using FAIR:
- Identified critical assets, using FAIR to rank assets based on single loss event magnitude
- Working with the threat intel team, rated threat actors and which assets they might go after.
- Identified key controls.
- Created scenarios, triaged among them then ran full risk quantification on the highest ranked scenarios.
- Developed a mitigation plan based on the results.
Rachel commented “Regulators want to increasingly know how you got to these numbers. With FAIR, if you walk them through that analysis, you instantly gain credibility.”
The agenda wrapped with two concurrent sessions, one on integrating FAIR and TBM, the other considering the risk of ransomware. Several large companies run FAIR and TBM in tandem, as each comes at IT cost control from a different angle: FAIR by demonstrating ROI on cybersecurity investments while TBM tracks the business value of IT operations. Ransomware pay/no pay decisions are also in the FAIR wheelhouse. As panelist Summer Fowler from Carnegie Mellon’s CERT/Heinz College CISO Executive Certificate Program said, “Ransomware brings us back to the fundamentals of understanding our organization’s risk appetite and asset vulnerabilities.”
With the formal agenda concluded, the informal agenda took over, for some unquantifiable fun: Party at the Andy Warhol Museum, featuring a live band fronted by Steve Ward, the VP of Marketing at RiskLens.