Last week’s 2019 FAIR Conference in National Harbor, MD, drew a record crowd of enthusiastic practitioners and learners of FAIR quantitative risk analysis. thorough media coverage of the event spread the word to a wider audience that risk management, particularly on the cyber side, is undergoing a fundamental change for the better, led by FAIR. Reporting from FAIRCON19 delivered a clear message that risk management needs to align with business strategy and communicate in business terms, namely with financial analysis powered by FAIR.
Here’s a look at the coverage:
Rethinking Risk Management by Kelly Sheridan for Dark Reading.
Dark Reading interviewed FAIR Institute Chairman Jack Jones for a preview of his keynote. Kelly noted that Jack is pushing the profession to focus on “the value proposition of risk management programs” and quoted him saying “part of what we expect to provide at this conference is helping people…describe the value proposition for change.”
The Challenges and Need for a Cost-Effective Risk Management Program by Jessica Davis for Health IT Security.
Health IT Security covered Jack’s keynote, with a focus on Jack’s challenge to the profession to step up and justify their work against all the other priorities of their organizations: “The dollars being spent on managing risk are dollars that can’t be spent on the business to build revenue,” Jessica quoted Jack.
How to Define and Prioritize Risk Management Goals by Kelly Sheridan for Dark Reading.
Dark Reading continued its coverage of FAIRCON with a look at the first panel of the conference, on “Defining the Goals of an Effective Risk Management Program” including key points made by Joey Johnson, CISO of Premise Health that alignment between the business and security risk management is “critical and overlooked.” Kelly wrote that “historically, security programs have involved a lot of ‘blocking and tackling’ to keep people out of trouble…But with the right strategy, security can be used to deliver valuable outcomes.”
Building Communication to Translate Cybersecurity as a Business Risk by Jessica Davis for Health IT Security.
Health IT Security also covered the “Defining the Goals” panel, with particular focus on comments from Omar Khawaja, CISO at Highmark Health on how a FAIR-based approach helps communication with senior management. “The onus is on me,” Jessica quoted Omar. “[A business leader] doesn’t need to be smart enough in security. I need to be smart enough in business terms. I have to be very, very willing to walk through the analysis. It’s not ‘trust me, don’t look in my black box’. It’s ‘I’d be happy to.’”
Energy is using cyber risk assessments to make cloud decisions by Dave Nyczepir for FedScoop.
FedScoop covered appearance on the "Defining the Goals" panel by Emery Csulak, CISO at the Department of Energy, discussing his pioneering use of FAIR in a federal government agency – he has begun doing daily risk assessments and will use FAIR in making businesses cases during the fiscal 2021 budget process.
When Compliance Isn’t Enough: A Case for Integrated Risk Management by Kelly Sheridan for Dark Reading.
Rounding out a trifecta of coverage from Dark Reading, the popular outlet covered the second-day keynote by John Wheeler of Gartner, who gave the FAIRCON audience his critique of compliance-focused risk management, exemplified by widespread use of GRC tools. “For many organizations, they may have a false sense of security,” Kelly quoted John. “If they think they are compliant with regulations, risks are addressed.” Integrated Risk Management (IRM) takes risk management “beyond technology into the realm of people and process risk, and ultimately all the way up to overall strategic risk of an organization.”
You've known that FAIR is the future in risk management for some time - the cybersecurity industry is rapidly awakening to this fact and coverage from FAIRCON19 demonstrates this fact. In the coming days, you'll be seeing more of the presentations and panels from the event in an effort to help you spread knowledge to your peers.