Led by FAIR model creator Jack Jones, the panel discussion “CISO Panel: Defining the Goals of an Effective Risk Management Program” at the recent 2019 FAIR Conference, covered a lot of ground. Four chief information security officers - speaking from hands-on experience - discussed everything from building a FAIR program, to briefing the board on cyber risk, to dealing with internal audit:
- Christopher Porter, Fannie Mae
- Omar Khawaja, Highmark Health
- Emery Csulak, U.S. Department of Energy
- Joey Johnson, Premise Health
Watch the complete video of CISO Panel: Defining the Goals of an Effective Risk Management Program. Slides are attached.
Note: FAIR Institute membership and LINK community site membership required. Join the FAIR Institute now (it's free).
Some of the insights and advice you’ll learn in the video:
Omar Khawaja on FAIR as a security culture-builder
“The thing that was missing for us, was each area where we had a set of controls in the security was doing phenomenally well but when you added it all together and called it a single security program, it lacked significant cohesiveness. We realized the first thing that a culture needs is a common language and that’s the reason we started to look at FAIR.”
Emory Csulak on overcoming obstacles to FAIR
“Our biggest obstacle was ourselves…and the fact that we wanted it perfect and that wasn’t achievable…We didn’t need the perfect methodology; we didn’t need the perfect set of metrics. We just needed to do the work… to start doing analyses. We needed to start talking to people about initiatives and processes we could apply it to…We built experiences that tell our story…and then the policies and procedures are falling out naturally from how we actually did the work not how we thought we should be doing the work.”
Joey Johnson on defining an effective risk management program, with cyber risk = business risk through FAIR
“For us, an effective program is about ensuring that we have the appropriate stakeholders involved and in that case, when we are all speaking a similar language, the security initiatives and the funding for the program, become self-sustaining…Security investments happen because stakeholders understand what we are trying to solve…Make sure there is a narrative within the entire organization so they are perceiving the risk management function as actually a driver of efficiency for the business.”
Chris Porter on driving risk-based decisions with FAIR
“You want to make sure you are reducing the right risks for the organization…[FAIR] arms you with other data that you can take into the organization to have those tough discussions with your business partners and IT partners.” Chris told the story of identifying a critical vulnerability that needed to be addressed. The team that owned the application thought they didn’t have the bandwidth to fix it, so they wanted to go through the risk acceptance process. Chris responded that, if the Social Security numbers in the application were lost, it would be a $20-30 million loss to the company “and I need you to sign right here. Then I need you to go in front of our technology risk committee and tell them why you’re willing to accept that kind of loss. People won’t risk-accept that kind of loss if you put a number to it.”
See more coverage of the 2019 FAIR Conference.
Watch the complete video of CISO Panel: Defining the Goals of an Effective Risk Management Program. Slides are attached.
Note: FAIR Institute membership and LINK community site membership required. Join the FAIR Institute now (it's free).
