The 2021 FAIR Conference kicked off two days of intensive presentations, case studies and panel discussions exploring every angle of the topic most on the mind of CISOs and risk managers this year: resilience.
Here follows some of the highlights from Day One – but you won’t miss anything. Videos of the sessions have been posted to the LINK members community on the FAIR Institute website. (Become a FAIR Institute member now.)
Welcome and Opening Keynote
Nick Sanna, President, FAIR Institute
Mary O’Brien, General Manager, IBM Security
It wasn’t long ago that many questioned whether cyber risk could even be measured, Nick said, but the FAIR movement for quantitative risk management has steadily made gains and become an integral component of many organizations’ decision processes.The other big development coming to FAIRCON21 – Jack Jones presenting the FAIR Controls Analytics Model (FAIR-CAM™), “that may have a bigger impact on the industry than the release of the FAIR Model itself.” Be sure to attend Jack’s speech Wednesday 12:30 PM ET.
Nick was followed by Mary O’Brien of IBM, who framed up the challenge of resilience for security and risk managers: “The security programs of the best modern, resilient businesses need to be designed from the top. They need to be aligned with the goals of the business…aware of the critical assets of the business, and aware of what’s happening in the wild.”
C-Level Panel - How Risk Management Is Helping Companies Be More Resilient during Digital Transformation
Moderator: Omar Khawaja, CISO, Highmark Health
Betty Elliott, CISO, Freddie Mac
Mary Elizabeth Faulkner, CISO, Thrivent Financial
Harold Marcenaro, Digital Risk Officer, BCP
Asked to reflect on lessons learned about organizational resiliency from pandemic times, this tech-savvy panel came to a surprising conclusion: “The technology was the easy part; it’s really developing appropriate processes as it relates to our people” that was the challenge, said Betty Elliott. Case Study - Using FAIR & Cyber Risk Quantification to Increase Resilience for Your Company
Dan Garcia, Deputy CISO, Datto
Tyanna Smith, Cyber Risk Manager, Datto
Jack Whitsitt, Cyber Risk Manager, Datto
At any time, a CISO might be called in front of the board or senior management after a well-publicized cyber event and asked, “can something like this happen to us?”
The Datto team reported on how they conducted a competitor cyber incident comparison that was a detailed look at applying FAIR techniques to reverse engineer the likelihood and impact of an incident based on public reporting. This session also delivered insights into how to work with stakeholders to carefully scope loss scenarios that would teach the most lessons on resilience.
Presentation - Assessing Cyber Resilience Preparedness
Matt Tolbert, Sr. Cybersecurity Specialist, Supervision and Regulation, Federal Reserve Bank of Cleveland
In a rare opportunity to hear a Fed insider talk candidly about cybersecurity, Matt gave five tips on how to measure resiliency for any organization, including advice on testing controls against your top risk scenarios. “I think we are reaching inherent limitations of what controls can and cannot do,” Matt said, increasing the importance of building resilience.Fireside Chat - How to Get a FAIR Program Off the Ground
Moderator: Rachel Slabotsky, Director, Professional Services, RiskLens
Tony Martin-Vegue, Senior Information Security Risk Engineer, Netflix
Prashanthi Koutha, Senior Risk Engineer at Netflix
Launching a FAIR program and evolving your organization to quantitative risk management may look like a steep hill, but Tony and Prashanthi, veterans of several FAIR program launches, mapped out the one-step-at-a-time approach that’s worked for them.
They recommend reading the FAIR book (Measuring and Managing Information Risk by Jack Jones) and the How to Measure Anything books by Douglas Hubbard to start because “risk quantification is a mindset,” as Prashanthi said.
For re-orienting the organization, start with normalizing risk findings, filter out the noise about vulnerabilities, etc. and apply FAIR risk scenarios. Next step: Take existing programs and processes and add more rigor. The only goal is to be better every day than yesterday, she added.
Case Study - Just Quantify It: Make Better Business Decisions for Third Party Risk Management
Josh Malnourie, Information Security Advisor at Blue Cross Blue Shield of North Dakota (BCBSND)
Bob Maley, Chief Security Officer, Black Kite
TPRM is on every CISO’s mind these days. Josh Malnourie was a pioneer, starting a FAIR program to assess third party vendors back in 2017.
One FAIR victory: “We used to have a 65-page HIPAA checklist” as a very time-consuming risk assessment tool. “Now, we are able to do that really quickly…We’re still able to get to the essence of what we were trying to do, we are just getting to it in a smarter way with way more data points.”
Case Study - Adopting FAIR - Transition from Cyber to Operational Risk
Aidan Farren, Global Security Risk & Policy Management, HPE
Aidan Whelan, Cyber Security Risk Analyst, HPE
Jay Reyna, Enterprise Risk Management, HPE
HPE started with FAIR in 2018 and, when leadership saw its success, asked to extend the program to supply chain, crisis management and the rest of enterprise risk management. The panelists discussed adopting non-cyber data inputs to FAIR analysis (see the chart below), for instance the opinions of experts on tax risk, and the records on product reliability for product risk.
Using FAIR, “gives the board of directors and management across the company confidence that we are looking at risk from a sophisticated perspective,” said Jay Reyna. “This process gives us a lot of credibility.”
