The 2020 FAIR Conference opened with a keynote discussion between two wise men of cybersecurity, FAIR model creator and FAIR Institute Chairman Jack Jones and Goldman Sachs Bank Board Member and veteran CISO Phil Venables, on the topic of “How Better Risk Management Enables Better Decision Making”.
“Everything we do is driven by decisions,” Jack said – and their discussion turned on how risk managers can move from models and numbers to “go pass the ‘So what?’ test,” in Phil’s words.
Watch a video of the keynote discussion: If you registered for the conference, you can return to the virtual Conference Hall for 30 days to watch session videos. Later in the year, they will be posted to the LINK members community on the FAIR Institute website. (Become a member now.)
Here are six pieces of distilled wisdom on cybersecurity risk management from Jack and Phil:
The three markers of action-oriented risk measurement.
As Jack said:
2. Accuracy with enough precision to be useful
3. Not cost-prohibitive
Good measurement doesn’t count without good communication.
Phil said that risk reporting must be delivered “in the right context” for a business audience to understand. “As risk professionals we can under-rate the human factors of delivering our results and figuring out the organizational dynamic so they are best consumed.”
Quantitative and qualitative risk management must work together.
“Even in the presence of data and actual quantified risk measurement, there’s still a high degree of judgment needed,” said Phil. “When people set qualitative and quantitative against each other, it loses the fact that any good risk manager is going to use both.”
Don’t let the perfect get in the way of good risk analysis
Jack and Phil agreed about the nature of the opposition to quantitative risk methods. As Phil said, “In certain aspects of the information security profession it seems to be dismissed unless it can be a single perfect model that has 100 percent reliability…In no other field of risk management is such a high bar set…
“The education challenge we have in this space is to help people understand the process of using these things as opposed to hoping there’s going to be some sort of magic oracle that out puts a decision.”
Quantitative cyber risk analysts should reach out beyond cyber
When risks from different domains are considered together “there may be a common solution for all of them that may be more cost-justifiable,” Phil said. “We don’t talk enough as an industry of how to bring risks together of different quantification and make a case for their collective mitigation.”
On the place for FAIR in the evolution of cyber risk management…
“I so admire the work that everybody involved in FAIR has been doing over the years,” Phil said. “We’ve got so much more to do on risk quantification to bring what we do up to the level of maturity of some other risk disciplines…It’s definitely inspiring the progress that you guys have made, you participants in the FAIR community and people who are using the tool every day. It’s inspirational to see the progress.”