FAIR Institute Chairman Nick Sanna gave a State of the Institute talk that wrapped up the remarkable string of events in the past year-plus, all pointing towards FAIR and risk quantification: The SEC’s revised guidance on cybersecurity disclosure, implementation of the New York Department of Financial Services reporting standards for cyber, EU’s GDPR going into effect, RSA launching Archer CRQ, and Gartner’s statements of support for quantification ("they actually went to the point of saying GRC is dead”). In the same period, Institute membership passed 3,000 and 30% of the Fortune 100 are using FAIR.
This week, the Global Resilience Federation (GRF) and the Institute announced a partnership to train GRF members in FAIR. And coming up in November, the Institute will brief the new Department of Homeland Security National Risk Management Center on FAIR and launch a new Federal Government chapter.
FAIR model creator and Institute Chairman Jack Jones keynoted on The Next Frontier in Risk Management. “We’re beginning to make great progress on the risk measurement frontier,” Jack said but “we have to open a second frontier to change views of what ‘mature’ means”, particularly working to show organizations the limitations of System 1 thinking applied to risk”—citing the shorthand for fast and reflexive thinking or “easy buttons,” as Jack put it, that define traditional, qualitative approaches to cyber risk analysis.
Jack presented some findings from the FAIR Institute’s 2018 Risk Management Maturity Benchmark Survey, which rated organizations on markers such as use of proper risk terminology or a risk model. The bottom line: the surveyed companies were still at a low level of maturity though improved from last year’s survey.
“The opportunity exists to dramatically improve the state of our profession,” Jack concluded. “Let’s do this!”
For Walmart, it was “showing how it makes their lives easier,” Joel said. Case in point: Convincing the vulnerability management people that “things that were risk were no longer risks” meant they didn’t need to set up “war rooms” when the need wasn’t critical, showing them how risk quantification “keeps them home on weekends.”
Case Study: Reporting to the Board: What Got You Here, Won't Get You There, a solo presentation by Omar Khawaja, CISO at Highmark Health was a master class in communicating risk to the board and the business. Among many nuggets of advice:
Panel: How to Communicate the Value of FAIR to Internal and External Stakeholders, featured Rachel Slabotsky of RiskLens as moderator, Greg Rothauser of MassMutual, Allison Seidel of PNC, Steve Reznik of ADP and Brandon Young of Charles Schwab. Greg gave a quick case study of how MassMutual met the new risk analysis requirements from the New York State Department of Financial Services using FAIR:
Rachel commented “Regulators want to increasingly know how you got to these numbers. With FAIR, if you walk them through that analysis, you instantly gain credibility.”
With the formal agenda concluded, the informal agenda took over, for some unquantifiable fun: Party at the Andy Warhol Museum, featuring a live band fronted by Steve Ward, the VP of Marketing at RiskLens.
Read more:
FAIRCON 18 Keynote: Jack Jones Leads the Way to ‘The Next Frontier in Risk Management’
FAIRCON 2018 Wrap: Tips on Board Reporting, Cyber Insurance Buying, CISO & CRO Relating