“The FAIR movement keeps growing and helping to turn risk management into a real and effective business science,” FAIR Institute President Nick Sanna said, opening the 2020 FAIR Conference. To quantify it: A record 2,000 registrants from more than 25 countries are attending 25 sessions over two days at the first virtual FAIRCON.
Here’s a rundown of some highlights from Day One – but the sessions were varied and so information-rich, you’ll want to replay and review the recorded versions. If you registered for the conference, you can return to the virtual Conference Hall for 30 days to watch session videos. Later in the year, they will be posted to the LINK members community on the FAIR Institute website. (Become a member now.)
Opening Keynote: Factoring Risk in Decision Making: How Better Risk Measurement Enables Better Decision-Making
Jack Jones, FAIR Institute Chairman and FAIR model creator
Phil Venables, Goldman Sachs Bank Board member and influential security blogger
Jack and Phil covered a crucial topic for FAIR proponents hoping to advance FAIR in their organizations: getting beyond the “so-what test,” as Phil said. Read more in this blog post.
Key Quote: “As risk professionals we can under-rate the human factors of delivering our results and figuring out the organizational dynamic, so they are best consumed.” – Phil Venables
Phil also said, “We’ve got so much more to do on risk quantification to bring what we do up to the level of maturity of some other risk disciplines…It’s definitely inspiring (to see) the progress that you guys have made, participants in the FAIR community and people who are using the tool every day.”
C-Level Panel - Improving Decision Making through the Adoption of FAIR
Frank Kim, Curriculum Director SANS
Pat McGuinness, CIRO, Manulife
Mary Faulkner, CISO, Thrivent Financial
Mike Green, CISO, Cigna
Omar Khawaja, CISO, Highmark Health
These experienced FAIR CISO/CIROs got down to cases on how they’ve applied quantitative analysis and won acceptance in the organization. Some tips:
- Socialize FAIR among stakeholders by paying for them to go through FAIR training
- Insist a FAIR point of view and terminology be the rule for discussion – condition even engineers to think in terms of resistance strength of controls, not maturity gaps.
- Choose progress over perfection in advancing the place for quantitative analysis in your organization.
Key Quote: “Make sure you are using the model to answer questions that are really of value to the business.” – Mike Green
Also…Omar Khawaja gave a solo presentation on Managing Risk in Times of Crisis: Applying FAIR to Become More Business-Centric during COVID. Omar covered communication strategies to get the business to “actually want to invest in security” and more.
Kristi gave a strong warning to public companies to keep risk disclosure statements up to date—the SEC brought enforcement actions against Yahoo! and Facebook for maintaining their status-quo statements at times when they knew they had suffered loss events. She also gave some direction on the ongoing question of what’s a material risk in cyberspace. In the case of a data breach risk that would be:
- What’s the importance of the data to your company?
- How will it impact your company’s operations?
- What is the range of harm?
Roundtable - Helping the Board Exercise Proper Cyber Risk Oversight
Larry Clinton, President, Internet Security Alliance
Daniel Dobrygowski, Head of Governance & Policy, Cybersecurity Legal Counsel, World Economic Forum
Shelley Leibowitz, Board Member E*TRADE, MassMutual
Lou DeSorbo, Chief Security Risk Officer, Centene
Panelists urged CISOs to get in line with top-of-mind issues for boards today, especially digital transformation. A good starting point for any CISO would be reading the cybersecurity handbook of the National Association of Corporate Directors, written together with the Internet Security Alliance, Clinton said, including the point that boards “expect that management will present them with a sophisticated cyber risk assessment - FAIR is a great example.”
Key Quote: “Cybersecurity is the way we used to think about it. Cyber risk is the way we are beginning to think about it and business resiliency and business enablement is the way we need to start thinking about it.” - Lou DeSorbo
Also…Case Study - Reporting Cyber Risk to the Board: Real Life Examples
Matt Kruse, Senior Director - Risk, Information Security and Compliance (RISC), FIS Global and Vince Dasta, Director - Cyber Risk Quantification, Protiviti, told how they created a simple statement of goals for board reporting, and analyzed a set of risk scenarios that showed proof of value for FAIR to the board.
Roundtable-A Strategic Approach to Defending the U.S.in Cyberspace
Rep. Mike Gallagher, Co-Chair, Cyberspace Solarium Commission
Chris Inglis, Cyberspace Solarium Commission Member, Former Deputy Director, NSA
Nick Sanna, President, FAIR Institute
A bracing reminder that cybersecurity is also national security – conference attendees heard from participants from the commission charged with drafting strategic recommendations to get out ahead of a “cyber 9/11”. Expect legislation or regulations to follow that could bring more public-private threat event or loss event information sharing and perhaps more required disclosure on cyber risk.
Key Quote: “You might say the strategy has caught up to FAIRCON and is ready to embrace what FAIR has to offer…Your work has been extremely valuable to all of the stakeholders who will embrace these (Solarium) recommendations.” – Rep. Gallagher
Presentation - Prioritizing NIST CSF Activities with FAIR
Richard Barretto, Security Operations Manager, Cimpress
Jack Freund, Fellow, FAIR Institute
Maybe the most asked question of quantification advocates starting their organization on a FAIR journey: How to leverage quantification with the most popular cybersecurity framework to sort out through its best practices. Cimpress answered with a thorough and thoughtful mapping from FAIR to the CSF (given recognition in a NIST publication and with a FAIR Institute Excellence Award last year) that gave an “end-to-end picture of our security program,” as Richard said.
Key Quote: “Now we have (quantification in) dollars so if we ever needed to ask our management for investments, we can easily tie back the controls and detections to the top risks.” – Richard Barretto.
Presentation - How to Rapidly Triage Issues and Findings to Focus on What Matters Most
David Elfering, Senior Director of Information Security
Alyssa Hinz, Senior Information Security Specialist, Werner Enterprises
You learned FAIR and are eager to apply it on the job – but where do you start? David and Alyssa make a compelling case (along with a pile of useful tips) to put your first efforts into building out your re-usable loss tables and asset libraries, then do a FAIR triage of your risks (they used the latest Rapid Risk Assessment capability on the RiskLens platform for cyber risk quantification).
Key Quote: “Relying on preplanning with assets and loss tables allows you to run quick scenarios in triage that will provide a lot of accuracy and you can definitely do a deep dive to any of these scenarios from triage (later).” – Alyssa Hinz
Presentation-Improving DevSecOps with FAIR at Doordash
Sarina Hothi, Security Project Manager, DoorDash
Case Study - How FAIR Analyses Support Decision-Making at Netflix
Tony Martin-Vegue, Sr. Information Security & Risk Engineer, Netflix
Two briefings from FAIR practitioners at tech companies and at different phases of FAIR adoption:
Sarina describes her experience with her first FAIR implementation – and Tony is a longtime practitioner and co-chair of the San Francisco chapter of the FAIR Institute.
Tips from Sarina for gaining benefit from FAIR even before you’ve built out an entire program:
- Use the model to break down and focus the scope of your projects to specific applicable threat scenarios
- Gradually demonstrate the business value of security to non-security stakeholders
- Knowing the taxonomy will help keep your teams speaking the same language and allow everyone to collectively understand the true risk to the business
Tips from Tony for creating a FAIR-first environment:
- Move FAIR analysis and your FAIR risk analysts, the actual personnel, closer to the decision makers. And move them closer to the decision. Don’t wait until it’s become a problem.
- Don’t perform FAIR analysis on issues – focus only on risk, forecasting and decisions.
- Understand what the decision is and scope your FAIR analysis to fit that.
And that wasn’t all…other FAIRCON sessions on Day One presented a panorama of use cases, finding better data to make better decisions and updates to the Open FAIR standard. Coming up on Day Two: A keynote discussion on unexpected risks with the Gray Rhino author Michele Wucker, a talk by How to Measure Anything author Douglas Hubbard, advice on surviving digital transformation, and a forecast for risk management by Gartner. See you at the virtual 2020 FAIR Conference.