The theme of the 2019 FAIR Conference that kicked off Tuesday is "How to Build a Quantitative Risk Management Program with FAIR" and comes with plenty of signs that the FAIR movement is pushing forward into wide acceptance: the gathering sold out in its biggest venue ever (Gaylord National Resort & Conference Center in National Harbor, MD), FAIR Institute membership has doubled in a year (to 6,400), and the leading voice in Congress for cybersecurity stopped by to say “you are moving the country to a better place.”
Here’s a quick look at some of the day’s sessions – we’ll publish the slides and videos from all the talks on the FAIR Institute website in the coming weeks.
Institute President and Founder Nick Sanna opened the event noting how in this fourth FAIRCON, the interest had evolved from “Can we do risk quantification?’ to “Should we?” to “How do we actually do it?” to “How do we build systematic change…How do we make it part of our decision process?”
“I’m talking to an audience of unsung heroes. you are all called to be changemakers in a way that is really fundamental” – even if not always recognized.
Nick handed off to Jack Jones, Institute Chairman and creator of the FAIR model for his keynote “Enabling Risk Management Programs that Actually Work.” “We have a responsibility to help our organizations and industry manage risk as cost-effectively as possible,” Jack said, but corporate culture and lack of knowledge about how to implement a FAIR program often stand in the way. So, he laid out a roadmap for a workable, scalable program, showing how it could start with minimal investment in skills, data and tools. Read more on Jack’s keynote.
Up next a panel discussion on ”Defining the Goals of an Effective Risk Management Program” led by Jack Jones and including Christopher Porter (CISO, Fannie Me), Omar Khawaja (CISO, Highmark Health), Emery Csulak (CISO, Department of Energy), Joey Johnson (CISO, Premise Health). At one point, Jack asked the panel for their biggest challenges. Chris Porter answered that, since he sees cyber risk as business risk, it’s been a challenge to find people in the organization that really understand the business processes in order to understand the full extent of cyber risk. Emery Csulak answered that “our biggest problem was ourselves. We wanted perfect. What we had to do was say “What do we actually need to get started?”
In the discussion “Building a Cybersecurity Program with a Risk Management Framework and FAIR”, FAIR book co-author and RiskLens Risk Science Director Jack Freund; moderated for Ian Amit (CSO, Cimpress, Jason Martin (GRC Team Manger Highmark Health) and Michael Parisi, Vice President Assurance Strategy, HITRUST). Ian gave a briefing on combined use of FAIR and the NIST CSF; NIST recently published a “Success Story” case study on Cimpress. He said that Cimpress uses FAIR to identify top risks and uses the CSF to understand the lay of the land for controls—then takes the unusual step of letting the business unit owners pick and choose their own controls. Michael said that HITRUST is also working on integrating its framework with FAIR.
Rep. Jim Langevin (D-RI) came by for a lunchtime talk that demonstrated why he’s the leading cybersecurity expert in the U.S. House of Representatives. He gave a short history of US government involvement with cybersecurity risk standards, praised “risk quantification frameworks like the FAIR model” then said “I look around the room today knowing that the work you are engaged in continues to evolve” and “Collectively, you are definitely moving the country to a better place.”
Among the afternoon sessions: Jack Whitsett, SVP and FAIR Team Lead, Bank of America, took a deep dive into “Operationalizing Risk Quantification in Business Processes” with the premise that a successful program goes beyond just FAIR analysis – see his working model of an expanded FAIR program:
Jack is a believer in a modularized program with well-developed processes and frameworks that can be used rapidly and over and over: “Your program as an iterative operational excellence tool making risk management explicit.”
Keith Weinbaum, Enterprise Risk Management Architect, Quicken Loans, covered a topic of high interest among FAIR practitioners looking to take their program to the next level: “Scoping Enterprise Risk Assessments” – in other words, bringing consistent risk management processes across the organization.
Keith described how his group created a generic risk (Threats on one axis, Effects on the other) and paired that with value stream mapping for their product development, lead generation and mortgage sales to understand how cyber events would impact processes enterprise-wide. The result would be a list of “key risk scenarios” to be entered into a risk register, ERM-ready.