FAIRCON21 Day One: Achieving Cyber Resilience with Advice from IBM, HPE, Federal Reserve, Netflix, and More FAIR Risk Management Leaders

FAIRCON21 Logo - 2021 FAIR Conference-1The 2021 FAIR Conference kicked off two days of intensive presentations, case studies and panel discussions exploring every angle of the topic most on the mind of CISOs and risk managers this year: resilience.

Here follows some of the highlights from Day One – but you won’t miss anything. Videos of the sessions have been posted to the LINK members community on the FAIR Institute website.  (Become a FAIR Institute member now.)

Welcome and Opening Keynote

FAIRCON21 - Nick Sanna Pres FAIR InstNick Sanna, President, FAIR Institute

Mary O’Brien, General Manager, IBM Security

It wasn’t long ago that many questioned whether cyber risk could even be measured, Nick said, but the FAIR movement for quantitative risk management has steadily made gains and become an integral component of many organizations’ decision processes.
Nick said that at this year’s FAIR conference, the movement was stepping up “to focus on the ultimate goal of risk management” – resilience.

The other big development coming to FAIRCON21 – Jack Jones presenting the FAIR Controls Analytics Model (FAIR-CAM™), “that may have a bigger impact on the industry than the release of the FAIR Model itself.” Be sure to attend Jack’s speech Wednesday 12:30 PM ET.

Nick was followed by Mary O’Brien of IBM, who framed up the challenge of resilience for security and risk managers: “The security programs of the best modern, resilient businesses need to be designed from the top. They need to be aligned with the goals of the business…aware of the critical assets of the business, and aware of what’s happening in the wild.” 

C-Level Panel - How Risk Management Is Helping Companies Be More Resilient during Digital Transformation

Betty Elliott CISO Freddie MacModerator: Omar Khawaja, CISO, Highmark Health

Betty Elliott, CISO, Freddie Mac

Mary Elizabeth Faulkner, CISO, Thrivent Financial

Harold Marcenaro, Digital Risk Officer, BCP

Asked to reflect on lessons learned about organizational resiliency from pandemic times, this tech-savvy panel came to a surprising conclusion: “The technology was the easy part; it’s really developing appropriate processes as it relates to our people” that was the challenge, said Betty Elliott.
“Resilience is mostly about human behavior,” Harold Marcenaro said. “In order to change human behavior, you need two things: one is motivation, the other is less friction…We learned the key is in reducing friction in change, with training, templates, codes inserted.” 

Case Study - Using FAIR & Cyber Risk Quantification to Increase Resilience for Your Company 

Dan Garcia, Deputy CISO, Datto

Tyanna Smith, Cyber Risk Manager, Datto

Jack Whitsitt, Cyber Risk Manager, Datto 

At any time, a CISO might be called in front of the board or senior management after a well-publicized cyber event and asked, “can something like this happen to us?”

The Datto team reported on how they conducted a competitor cyber incident comparison that was a detailed look at applying FAIR techniques to reverse engineer the likelihood and impact of an incident based on public reporting. This session also delivered insights into how to work with stakeholders to carefully scope loss scenarios that would teach the most lessons on resilience. 

FAIRCON21 - Matt Tolbert - Federal Reserve - SmallPresentation - Assessing Cyber Resilience Preparedness

Matt Tolbert, Sr. Cybersecurity Specialist, Supervision and Regulation, Federal Reserve Bank of Cleveland 

In a rare opportunity to hear a Fed insider talk candidly about cybersecurity, Matt gave five tips on how to measure resiliency for any organization, including advice on testing controls against your top risk scenarios. “I think we are reaching inherent limitations of what controls can and cannot do,” Matt said, increasing the importance of building resilience.

Fireside Chat - How to Get a FAIR Program Off the Ground 

Moderator: Rachel Slabotsky, Director, Professional Services, RiskLens

Tony Martin-Vegue, Senior Information Security Risk Engineer, Netflix

Prashanthi Koutha, Senior Risk Engineer at Netflix 

Launching a FAIR program and evolving your organization to quantitative risk management may look like a steep hill, but Tony and Prashanthi, veterans of several FAIR program launches, mapped out the one-step-at-a-time approach that’s worked for them.

They recommend reading the FAIR book (Measuring and Managing Information Risk by Jack Jones) and the How to Measure Anything books by Douglas Hubbard to start because “risk quantification is a mindset,” as Prashanthi said.

For re-orienting the organization, start with normalizing risk findings, filter out the noise about vulnerabilities, etc. and apply FAIR risk scenarios. Next step: Take existing programs and processes and add more rigor. The only goal is to be better every day than yesterday, she added. 


Case Study - Just Quantify It: Make Better Business Decisions for Third Party Risk Management

FAIRCON21 - Josh Malnourie 2Josh Malnourie, Information Security Advisor at Blue Cross Blue Shield of North Dakota (BCBSND)

Bob Maley, Chief Security Officer, Black Kite

TPRM is on every CISO’s mind these days. Josh Malnourie was a pioneer, starting a FAIR program to assess third party vendors back in 2017.

One FAIR victory: “We used to have a 65-page HIPAA checklist” as a very time-consuming risk assessment tool. “Now, we are able to do that really quickly…We’re still able to get to the essence of what we were trying to do, we are just getting to it in a smarter way with way more data points.” 

Case Study - Adopting FAIR - Transition from Cyber to Operational Risk

Aidan Farren, Global Security Risk & Policy Management, HPE

Aidan Whelan, Cyber Security Risk Analyst, HPE

Jay Reyna, Enterprise Risk Management, HPE

HPE started with FAIR in 2018 and, when leadership saw its success, asked to extend the program to supply chain, crisis management and the rest of enterprise risk management. The panelists discussed adopting non-cyber data inputs to FAIR analysis (see the chart below), for instance the opinions of experts on tax risk, and the records on product reliability for product risk.

Using FAIR, “gives the board of directors and management across the company confidence that we are looking at risk from a sophisticated perspective,” said Jay Reyna. “This process gives us a lot of credibility.”

FAIRCON21 - HPE - FAIR for Operational Risk

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37