The second day of the 2018 FAIR Conference at Carnegie Mellon University in Pittsburgh was all about digging deeper to show in action the benefits for which FAIR and quantitative cyber and operational risk analysis are known: clarifying communication about risk up and down the chain of command and showing the ROI of difficult investment decisions such as buying cyber insurance.
The keynote address, A Risk Committee Chair’s View of ERM and Cybersecurity Oversight, by James Lam, Chairman of the Risk Oversight Committee for E*TRADE and author of Enterprise Risk Management, a standard text and Amazon best seller in the ERM field, set the pace. While many CISOs aspire to brief their boards of directors, Lam lifted everyone’s view up to the mindset that’s really required.
“Close your eyes and visualize risk,” Lam told the audience, adding that many of them were probably seeing a heat map populated with bad outcomes when they should think first of a bell curve with downside risk on the left and upside risk on the right and “expected performance” in the middle. “If you want to add value to your business, you should think of risk that way.” While risk managers typically focus on the left side, “take a right to left approach to say ‘What are the key decisions we need to make’, then work backwards to ask, ‘How do we make better investments?” Risk management, he said “is about optimizing the bell curve.”
Lam also demonstrated how to stack cyber risk against the other risk concerns of boards, credit and market risk, for a true board’s eye view and how the FAIR model can be used to support board and senior management decision making by quantifying cyber risk in economic terms, identifying top cyber risks, defining risk appetite, and determining cost effectiveness of cybersecurity controls and cyber risk insurance purchase decisions.
While you may think of FAIR as a cyber risk analytical tool only, the talk by Christina Nelson, a Risk and Strategy Director for Walmart, on Adapting FAIR for Operational Risk, showed the usefulness of FAIR principles beyond cyber. Nelson found that “physical security practitioners think catastrophic is where their biggest risk is” and would focus security investment to protect against the highest impact events without, to put a FAIR lens on it, regard to frequency. If you show them FAIR and the concept of annual loss exposure, that’s an eye opener. Sometimes, the smaller impact events, that happen at a much higher frequency, end up costing more to the company.”
The session Using FAIR to Optimize Your Cyber Insurance Coverage pooled the brain power of the FAIR Institute’s Insurance Workgroup (with representatives from insurance companies Marsh and Aon, law firm Axinn, Veltrop & Harkrider LLP, healthcare services company ProPath and RiskLens, the FAIR Institute’s technical adviser, led by Chip Block of Evolver, Inc., the cybersecurity services firm) to apply FAIR methodology to the tough decision of buying business interruption insurance to protect against the effects of cyber events. “Business interruption is a whole lot different from a breach loss,” Block said.
The result of their work is really a template for scoping the insurance problem space with FAIR. The group thought through the slippery question of how to figure frequency of loss events that lead to business interruption (think of how the NotPetya malware knocked many big companies offline) when attacks seem indiscriminate, and how to leverage business interruption data from other fields to get a handle on cyber. Their analysis also walks through all the legal implications—lawsuits, fines and judgements. We’ll post the slides and the video soon and you should see those to fully digest this important topic.
The Insurance Workgroup was followed by two from Express Scripts, Geoji Paul, Director of Information Security and Ben Havelka, Quantitative Risk Analyst, presenting on modeling catastrophic events with FAIR – not an academic experiment but a guidepost for buying cyber insurance. As Geoji Paul said, “Catastrophes force you to think about where your crown jewels are and what it would cost to lose them.”
The FAIR Awards luncheon honored three who are advancing the movement in favor of risk management aligned to business goals:
- FAIR Champion Award: Jack Freund, Director of Cyber Risk at TIAA, co-author of the standard FAIR book with Jack Jones, and a regular speaker at industry conferences advocating for quantitative risk analysis.
- Business Innovator Award: Omar Khawaja, CISO at Highmark Health, recognized for leading an enterprise-wide transformation in thinking about risk.
- FAIR Ambassador Award: Jason Ha, Director of the Digital Trust Risk Assurance Practice at PwC Australia, who opened the first FAIR Institute chapter in Australia and campaigned to bring quantitative risk analysis to government regulation.
The panel discussion Bridging the Gap Between the CISO & the CRO pushed ahead on an underlying question from the preceding sessions: If infosecurity becomes a discipline more aligned with the rest of the business, how does it interact with the traditional risk management groups in the organization?
Moderated by Amjed Saffarini, CEO, CyberVista, the training organization now offering FAIR courses to board members, the panel paired CISO Omar Khawaja with his counterpart, CRO Dennis Cronin of Highmark Health, along with Mary Ann Blair, CISO at Carnegie Mellon University. Cronin and Khawaja gave a closeup view how their fluid, cooperative relationship works out. “We talk directly to the audit committee of the board,” Cronin said, “and we make sure we don’t put different varieties of a risk assessment program in front of them.”
Blair’s comment about the traditional reporting lines: “A lot of what we do as CISOs in presenting to the board should probably go before the CRO first… as a way of moderating.” It would be a good reminder to CISOs that cyber risk is “just another one on the risk register that they know and understand.”
In the final session of the day, Marta Palanques and Steve Reznik of ADP, one of the most sophisticated FAIR shops, showed how to use quantitative analysis to create and monitor a set of Key Risk Indicators for a ready answer when the board asks, “how are we doing?”
FAIR Institute CEO Nick Sanna and Chairman Jack Jones put the conference in perspective with some closing remarks. Nick said he was struck by how “the case studies are getting more thorough, solving more complex problems” and how many “people were seeking each other out” among the attendees. “Progress driven by FAIR Institute members appears to be collaborative and iterative,” he said.
Jones left the conference attendees with a call to dig deeper into their own thought processes and the group think of their organizations to eliminate “System 1 thinking” (unquestioning and reflexive following of standards and checklists), to keep “asking why root cause analysis is not always welcome” and to “leverage FAIR and the FAIR maturity model to help others calibrate how they think about risk measurement and risk management maturity.”