Here’s a quick look at some of the day’s sessions – we’ll publish the slides and videos from all the talks on the FAIR Institute website in the coming weeks.
Institute President and Founder Nick Sanna opened the event noting how in this fourth FAIRCON, the interest had evolved from “Can we do risk quantification?’ to “Should we?” to “How do we actually do it?” to “How do we build systematic change…How do we make it part of our decision process?”
“I’m talking to an audience of unsung heroes. you are all called to be changemakers in a way that is really fundamental” – even if not always recognized.
Nick handed off to Jack Jones, Institute Chairman and creator of the FAIR model for his keynote “Enabling Risk Management Programs that Actually Work.” “We have a responsibility to help our organizations and industry manage risk as cost-effectively as possible,” Jack said, but corporate culture and lack of knowledge about how to implement a FAIR program often stand in the way. So, he laid out a roadmap for a workable, scalable program, showing how it could start with minimal investment in skills, data and tools. Read more on Jack’s keynote.
Up next a panel discussion on ”Defining the Goals of an Effective Risk Management Program” led by Jack Jones and including Christopher Porter (CISO, Fannie Me), Omar Khawaja (CISO, Highmark Health), Emery Csulak (CISO, Department of Energy), Joey Johnson (CISO, Premise Health). At one point, Jack asked the panel for their biggest challenges. Chris Porter answered that, since he sees cyber risk as business risk, it’s been a challenge to find people in the organization that really understand the business processes in order to understand the full extent of cyber risk. Emery Csulak answered that “our biggest problem was ourselves. We wanted perfect. What we had to do was say “What do we actually need to get started?”
Rep. Jim Langevin (D-RI) came by for a lunchtime talk that demonstrated why he’s the leading cybersecurity expert in the U.S. House of Representatives. He gave a short history of US government involvement with cybersecurity risk standards, praised “risk quantification frameworks like the FAIR model” then said “I look around the room today knowing that the work you are engaged in continues to evolve” and “Collectively, you are definitely moving the country to a better place.”
Among the afternoon sessions: Jack Whitsett, SVP and FAIR Team Lead, Bank of America, took a deep dive into “Operationalizing Risk Quantification in Business Processes” with the premise that a successful program goes beyond just FAIR analysis – see his working model of an expanded FAIR program:
Jack is a believer in a modularized program with well-developed processes and frameworks that can be used rapidly and over and over: “Your program as an iterative operational excellence tool making risk management explicit.”
Keith described how his group created a generic risk (Threats on one axis, Effects on the other) and paired that with value stream mapping for their product development, lead generation and mortgage sales to understand how cyber events would impact processes enterprise-wide. The result would be a list of “key risk scenarios” to be entered into a risk register, ERM-ready.