FAIRCON21 Day Two: Jack Jones Releases FAIR-CAM™ and Risk Management Leaders Share the Latest on Data Science, Board Reporting, Critical Infrastructure and More

Day Two of the 2021 FAIR Conference (FAIRCON21) offered a widely diverse agenda with actionable tips and teachable insights from the forefront of the FAIR movement. But the centerpiece was the this-changes-everything speech by FAIR standard creator Jack Jones introducing the FAIR Controls Analytics Model™ (FAIR-CAM™), the new standard for modeling and quantifying the value for risk reduction of controls and controls systems.  

FAIR Institute members can watch the videos of the FAIRCON21 sessions in the LINK member community. Not a member yet? Join the FAIR Institute now, then sign up for LINK. 

Here are some highlights from the final day of the FAIR Conference:


Keynote Presentation: Understanding the Value of Controls in Cyber Risk - Unveiling the FAIR Controls Analytics Model™ (FAIR-CAM™)

Jack Jones, Chairman, FAIR Institute

“If we want to effectively manage a problem space like cybersecurity, we have to account for its complex nature,” Jack said, challenging his audience to move beyond the compliance checklist mentality and take a systems view of cyber defenses. FAIR-CAM uncovers how controls function singly and together, enables a flow-chart view of loss events and empowers root-cause analysis. “Now, we can begin to understand where controls fit into the loss event chain,” Jack said. Read a blog post on Jack’s FAIR-CAM presentation and visit the FAIR Institute’s FAIR-CAM information page.

Keynote Address - Designing Resiliency and Security at a Time of Uncertainty and Change

FAIRCON21 - John Wheeler - Gartner - Keynote - SmallJohn A. Wheeler, Global Research Leader - Risk Management Technology, Gartner

The influential analyst from Gartner discussed four emerging trends he’s watching, including growing recognition by boards that cyber risk is business risk, and their demands for a multi-dimensional view of risk that goes beyond the GRC and compliance mindset. That points to “the greatest opportunity for risk management and compliance professionals to up their game through the use of methodologies like FAIR and technology to enable scenario analysis.”

Join the FAIR movement - learn FAIR quantitative risk techniques in online courses

2021 FAIR Awards Ceremony

The annual FAIR awards went to Zach Cossairt, Information Security Program Manager, Equinix; Christopher Porter, CISO, Fannie Mae; and Christophe Foret and Tom Callaghan, Co-Chairs, FAIR Institute Paris Chapter and Co-Founders, C-Risk for their work implementing and advocating FAIR. For example, Chris and the Fannie Mae team developed the concept called FAIR-FAST to ensure rapid risk analysis for issue management, which then allows detailed analysis to focus on strategic top-risk decision support. 

Case Study - Accelerating FAIR Analyses by 10x with Industry Data

Ben Gowan, Data Science Manager, RiskLens

Justin Theriot, Sr. Data Scientist, RiskLens

Cutting edge stuff here: Ben and Justin described how to speed analysis by leveraging industry data in addition to your own. They also presented some new insights into data from their number-crunching, for example, how increasing the number of records in a database predictably increases the cost of a data breach.

FAIRCON21 - Use Case Panorama

Presentation - Practitioner Use Case Panorama

Moderator: Donna Gallaher, President & CEO, New Oceans Enterprises, LLC,, Atlanta Chapter Chair

Brad Carvellas, CISO, The Guthrie Clinic

Mike Radigan, Global Leader, Cyber Risk Quantification Practice

Cedric De Carvalho, Cyber Risk Manager, Richemont International SA

The panel delivered some important lessons on launching and socializing a FAIR program. Brad, a healthcare provider CISO, discussed riding a wave of bad news about ransomware attacks on hospitals to turn around the attitudes of a management that had been indifferent to cyber risk. Mike discussed a similar challenge: Working with power plant operators to normalize cyber risk and operational risk so they could stack rank their risks equally – in fact, they were surprised to learn from FAIR analysis that cyber risk was their top risk in terms of annualized loss exposure. Cedric described how Richemont, a conglomerate of 26 separately managed businesses, is constructing a FAIR-based analysis assembly line to handle their high daily volume of security findings and issues. 


Presentation - Ensuring the Resilience of National Critical Functions

FAIRCON21 Bob Kolasky CISABob Kolasky, Director, National Risk Management Center (NRMC), Department of Homeland Security (DHS)

Bob gave a briefing on the Systemic Cyber Risk Reduction Venture, an effort to manage and reduce cyber risks to critical infrastructure. The Venture is mapping 55 functions critical to national security, business, and daily life and “we are starting to see real investment being made in strengthening those critical elements.” Bob made a pitch for business-government collaboration: “I want to bring in the risk community to deal with this unacceptable period of cyber risk. We need help borrowing from techniques and learning how to price risk into decision-making in both business and government.”

Board Panel - Improving Risk Governance and Avoiding Blind Spots, Biases and Bad Incentives 

Elizabeth Sheedy,  Author, Risk Governance, Biases, Blind Spots and Bonuses

James Lam, Independent Director, Chair of Risk Oversight Committees, E*TRADE, NACD 100 Honoree

Deb Dunie, NACD Board Leadership Fellow

Prof. Sheedy of Macquarie University kicked off the discussion reporting on a study of banking executive accountability regulations in the UK and Australia that found they worked in “creating a true risk culture” and reducing a pass-the-buck mentality. Deb agreed that particularly in cyber risk, “it’s critical that we set up a culture that rewards people for telling bad news stories” before a data breach or other cyber loss event hits. James added the corollary “Over time if you have good data and good analytics, you will have better judgement” – and that’s where the FAIR model and quantitative risk analysis comes into play.

Join the FAIR movement - learn FAIR quantitative risk techniques in online courses

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37