A record 2,000 registrants from more than 25 countries attended 25 sessions over two days at the virtual 2020 FAIR Conference. Day Two featured ‘Gray Rhino’ book author Michele Wucker, Douglas Hubbard, author of the classic ‘How to Measure Anything’, Khushbu Pratap, Research Director at Gartner, and FAIR pioneers from government, healthcare and finance.
Here’s a rundown of some highlights from Day Two – but you’ll want to replay and review the recorded versions. As a registered FAIRCON2020 attendee, you can return to the virtual Conference Hall for 30 days to watch session videos. Later in the year, they will be posted to the LINK members community on the FAIR Institute website. (Become a member now.)
Opening Keynote Conversation - How to Help the Business Make the Right Decisions on Risks They Struggle to See
Michele Wucker, Author, "The Gray Rhino: How to Recognize and Act on the Obvious Dangers We Ignore"
Jack Jones, Chairman, FAIR Institute
What stops us from recognizing threats that are high impact, obvious and probable? That’s the central question of Michele Wucker’s book, more timely than ever in this time of pandemic – and highly relevant to FAIR advocates trying to move their organizations toward risk-based decision-making. Michele and Jack discussed:
--How to recognize the biases you are up against
--How to start big changes with little changes
--5 steps for changing an organization’s mindset about risk.
Key Quote: “People resist change to the way they think about and deal with risk, so they argue that current approaches are just fine.” – Jack Jones
Closing Keynote: Drivers for IRM, Digital Transformation & Cost Optimization
Khushbu Pratap, Research Director, Gartner
Khushbu shared surveys of Gartner clients that confirmed the communication gap between technical and business functions that FAIR aims to bridge – for example, 37% of business leaders said they had no visibility into the day-to-day risks they were asked to accept. She also presented Gartner’s view that risk management is about to undergo major changes in process and technology:
--Risk analytics will increasingly become automated.
--Risk management applications will move from being systems of record to decision support systems. Applications should be able to serve up risk treatment options.
--Risk-based decision-making in realtime will become the norm. “So, you make a decision today and within less than a week, you are going to revisit because something has already changed on the ground.”
Key Quote: “Most business leaders do not have a lot of clarity in creating risk analytics at a business unit level, they do not know who’s accountable for getting those analytics and they do not necessarily know also how to set risk tolerance levels for their business unit.” - Khushbu Pratap
Case Study - Building A Quantitative Risk Management Program in the Federal Government
Emery Csulak, (CISO), Deputy CIO for Cybersecurity, Department of Energy
Dan LaGraffe, Director of Cybersecurity Operations, Department of Energy
Natalie Priani, Contractor Support Lead, Department of Energy, Accenture Federal Services
Cody Scott, Chief Cyber Risk Officer, National Aeronautics and Space Administration (NASA) & Government Chapter Co-Chair, FAIR Institute
This session offered a wealth of tips and techniques for introducing and promoting a FAIR program in any large organization, not just government. But to focus on one topic: The DOE crew shared the impressive set of educational materials they distribute to DOE staff, such as a read-ahead packet to precede a meeting with SMEs or stakeholders, a poster to encapsulate their messaging on FAIR processes and benefits, an executive deck, use cases and reporting templates, visual breakdowns of analysis results to translate findings into recommendations.
Key Quote: “One of the first questions we get is ‘Why do this? What’s wrong with our stoplight risk charts?’ The answer is, ‘This is better at decreasing your uncertainty. It’s not a perfect answer. We understand that we don’t have full data sets. This process is forcing you to use data you already have. ..For the gaps you do have, this process forces you to reach out to SMEs and build data sets you can use going forward to continuously build a risk management program which a traditional red/yellow/green will not allow you to do’.” - Natalie Priani
Presentation - The Team as a Measurement Instrument
Douglas Hubbard, Author, "How to Measure Anything in Cybersecurity Risk"
Doug has been a major influence on the FAIR movement, particularly with his advocacy for calibrated estimation as a foundational practice in data gathering for quantitative risk analysis. Doug made a return visit to introduce a new development: Gaining even better estimation from subject matter experts with a newly developed algorithm to generate performance weighted, aggregated estimates from SMEs.
Key Quote: “Calibrating teams will probably be the next big thing after calibration. We call this the FrankenSME.” – Doug Hubbard
Presentation - Support Your Company’s Digital Transformation during Times of Crisis
Harold Marcenaro, Digital Risk Officer, BCP
In an ambitious move, Harold introduced FAIR to BCP, Peru’s largest bank, at the same time the bank launched a thorough digital transformation in response to an alarming drop in customer satisfaction metrics. In fact, the over-arching goal for the FAIR program was not restricted to cybersecurity -- Harold shared how he created a new, high-level mission statement for the FAIR program focused on customer satisfaction. He also showed his detailed plans for program launch.
Key Quote: “Risk had to be practically pushing its own transformation to enable the bank’s wider transformation. … or eventually risk would become a blocker.” – Harold Marcenaro
Healthcare Track Case Study - Building a Program with HITRUST & FAIR
Marshall Lambert, Team Lead, Cyber Risk Quantification, Highmark Health
Greg Rothauser, Sr. Risk Quantification Analyst, Highmark Health
Bryan Cline, Chief Research Officer, HITRUST
Tyler Britton, FAIR Institute Member & Cybersecurity Risk Consultant, RiskLens
A report from the team that has produced a white paper on integration between the HITRUST CSF, the widely used cybersecurity framework and threat catalog that simplifies compliance with many standards, and FAIR, which will tie risk exposure to controls along with cost-benefit analysis and ultimately control improvement prioritization. Download the FAIR-HITRUST Integration White Paper.
Key Quote: “We believe by leveraging what is likely to be the industry standard for quantified risk analysis that the FAIR Institute provides, we anticipate proving additional value to the marketplace.”- Bryan Cline
Panel - How FAIR Can Help Better Integrate Cyber Risk with ERM
James Lam, Independent Director, Chair of Risk Oversight Committees, E*TRADE, NACD 100 Honoree
Paul Sobel, Chairman, COSO
Greg Montana, Chief Risk Officer (CRO), FIS Global
Christopher Porter, CISO, Fannie Mae
Keith Weinbaum, Enterprise Risk Management Architect, Quicken Loans
Enterprise risk management guru James Lam led a structured conversation based on a circular framework that shows the interconnection among the elements of ERM:
--Governance structure and policies – who makes what decisions, how set risk appetite
--Risk assessment and quantification – how to make more informed decisions
--Risk management – including risk acceptance, pricing, capital allocation
--Dashboard reporting and monitoring – how we know we are accomplishing what we need.
Keith Weinbaum briefed on what may be the most evolved integration of FAIR into ERM – at Quicken Loans, all risk management is built on a foundation of FAIR scenarios and the risk organization has used FAIR to model out hundreds of scenarios “for every vector a malicious actor could take”, and aggregates all that analysis work to check against enterprise-wide risk appetite.
Key Quote: “How do you know when risk management is really working? The answer is when business people are making better decisions more of the time.” – Paul Sobel.
Case Study - Decision Making with FAIR - Quantification and The Rise of Class Action Lawsuits
Chip Block, Vice President and Chief Solutions Architect at Evolver; Co-Chair, FAIR Institute DC Chapter
Denny Wan, Principal Consultant, Security Express; Chair, FAIR Institute Sydney Chapter
George Newhouse, Director, The National Justice Project; Adjunct Professor, Macquarie University
Trish Carreiro, Data Privacy and Cybersecurity Attorney at Carlton Fields, P.A.
Visesh Gosrani, Chair of Institute and Faculty of Actuaries Cyber Risk Working Party
This wide-ranging discussion on cybersecurity and the law covered director’s liability, the rising number of class action suits, rising risk from state laws on privacy and getting the right level of insurance coverage. One highlight: Attorney Trish Carreiro explained how risk quantification makes for a good defense against plaintiffs claiming a company was negligent: It provides a paper trail showing the organization took justifiable steps to protect itself before the loss event – and if sued, quantification gives a readout on exposure, helpful to plan a defense strategy.
Key Quote: “If you are making decisions that are going to directly affect the value of the company -- whether that be because of breach, because of ransomware, or the loss of operations, -- without understanding the value and the quantitative impact, how do you make a good decision?” – Chip Block
That’s a wrap for FAIRCON2020 but…
You can watch videos of the sessions to catch up on any you missed. As a registered FAIRCON2020 attendee, you can return to the virtual Conference Hall for 30 days to replay sessions. Later in the year, they will be posted to the LINK members community on the FAIR Institute website. (Become a member now.) See you at FAIRCON2021!