The keynote address, A Risk Committee Chair’s View of ERM and Cybersecurity Oversight, by James Lam, Chairman of the Risk Oversight Committee for E*TRADE and author of Enterprise Risk Management, a standard text and Amazon best seller in the ERM field, set the pace. While many CISOs aspire to brief their boards of directors, Lam lifted everyone’s view up to the mindset that’s really required.
“Close your eyes and visualize risk,” Lam told the audience, adding that many of them were probably seeing a heat map populated with bad outcomes when they should think first of a bell curve with downside risk on the left and upside risk on the right and “expected performance” in the middle. “If you want to add value to your business, you should think of risk that way.” While risk managers typically focus on the left side, “take a right to left approach to say ‘What are the key decisions we need to make’, then work backwards to ask, ‘How do we make better investments?” Risk management, he said “is about optimizing the bell curve.”
Lam also demonstrated how to stack cyber risk against the other risk concerns of boards, credit and market risk, for a true board’s eye view and how the FAIR model can be used to support board and senior management decision making by quantifying cyber risk in economic terms, identifying top cyber risks, defining risk appetite, and determining cost effectiveness of cybersecurity controls and cyber risk insurance purchase decisions.
While you may think of FAIR as a cyber risk analytical tool only, the talk by Christina Nelson, a Risk and Strategy Director for Walmart, on Adapting FAIR for Operational Risk, showed the usefulness of FAIR principles beyond cyber. Nelson found that “physical security practitioners think catastrophic is where their biggest risk is” and would focus security investment to protect against the highest impact events without, to put a FAIR lens on it, regard to frequency. If you show them FAIR and the concept of annual loss exposure, that’s an eye opener. Sometimes, the smaller impact events, that happen at a much higher frequency, end up costing more to the company.”
The result of their work is really a template for scoping the insurance problem space with FAIR. The group thought through the slippery question of how to figure frequency of loss events that lead to business interruption (think of how the NotPetya malware knocked many big companies offline) when attacks seem indiscriminate, and how to leverage business interruption data from other fields to get a handle on cyber. Their analysis also walks through all the legal implications—lawsuits, fines and judgements. We’ll post the slides and the video soon and you should see those to fully digest this important topic.
The Insurance Workgroup was followed by two from Express Scripts, Geoji Paul, Director of Information Security and Ben Havelka, Quantitative Risk Analyst, presenting on modeling catastrophic events with FAIR – not an academic experiment but a guidepost for buying cyber insurance. As Geoji Paul said, “Catastrophes force you to think about where your crown jewels are and what it would cost to lose them.”
The FAIR Awards luncheon honored three who are advancing the movement in favor of risk management aligned to business goals:
The panel discussion Bridging the Gap Between the CISO & the CRO pushed ahead on an underlying question from the preceding sessions: If infosecurity becomes a discipline more aligned with the rest of the business, how does it interact with the traditional risk management groups in the organization?
Moderated by Amjed Saffarini, CEO, CyberVista, the training organization now offering FAIR courses to board members, the panel paired CISO Omar Khawaja with his counterpart, CRO Dennis Cronin of Highmark Health, along with Mary Ann Blair, CISO at Carnegie Mellon University. Cronin and Khawaja gave a closeup view how their fluid, cooperative relationship works out. “We talk directly to the audit committee of the board,” Cronin said, “and we make sure we don’t put different varieties of a risk assessment program in front of them.”
In the final session of the day, Marta Palanques and Steve Reznik of ADP, one of the most sophisticated FAIR shops, showed how to use quantitative analysis to create and monitor a set of Key Risk Indicators for a ready answer when the board asks, “how are we doing?”
FAIR Institute CEO Nick Sanna and Chairman Jack Jones put the conference in perspective with some closing remarks. Nick said he was struck by how “the case studies are getting more thorough, solving more complex problems” and how many “people were seeking each other out” among the attendees. “Progress driven by FAIR Institute members appears to be collaborative and iterative,” he said.
Read more:
FAIRCON 18 Keynote: Jack Jones Leads the Way to ‘The Next Frontier in Risk Management’