FAIRCON22 Day One: Scaling FAIR Programs by Changing Culture, Overcoming Objections, Juicing ‘Voltage’ and More Tips from Netflix, Victoria’s Secret, Funko – and the Federal Reserve

FAIRCON22 - Jack Jones - Bryan Smith - RiskLensThe theme of this year’s FAIR Conference (FAIRCON22) is “scale,” as in expanding use of the international standard for quantitative risk analysis for ever more ambitious risk management programs. But FAIR has scaled up into a movement, too, and the range and variety of thought and energy generated by FAIR followers was on full display at the conference. Here’s a run through the agenda for the first day.  See a report on Day Two of FAIRCON22 

FAIR Institute President Nick Sanna Welcomes All with 10 Reasons Why FAIR Rules

FAIRCON22 - Nick SannaNick counted down the quantitative proof: FAIR Institute membership close to 14,000 representing 139 countries, 10,000 have completed FAIR training including 1,200 certified. More reasons for FAIR’s position as the international standard for quantitative risk analysis: It’s an open and defensible standard while proprietary models may not be, FAIR analytics work across risk domains beyond cyber, it’s a true value at risk and an added value to risk and control frameworks. Nick also announced some coming attractions for the Institute:

  • A new resources platform for the website
  • A new Slack platform for members to seek and give advice
  • A tiered membership system with enhanced privileges 

Larry Clinton Makes a Plea to Re-Focus Cybersecurity on Cyber Risk Economics 

The President of the Internet Security Alliance, the Washington think tank/lobbying organization said that if cybercrime were an economy, it would be the biggest in the world at $6 trillion. We need to attack the problem on an economic level, he argued, and “mandate or incentivize organizations to do a sophisticated cyber risk assessment.”

More about the ISA’s proposals.



CISO Panel on Making the Change to a Risk-based Corporate Culture

Moderator: Omar Khawaja, CISO, Highmark Health

Mark Tomallo, SVP, CISO, Victoria’s Secret

Mary Elizabeth Faulkner, CISO, Thrivent Financial

Jeff Norem, Deputy CISO, Freddie Mac 

For anyone introducing FAIR, this session was a lot of well-honed advice from FAIR leaders who’ve been there. Mark Tomallo urged FAIR advocates to go for “progress over perfection” and Omar Khawaja put a bit of a different spin on that: follow the MAYA principle from the design world, “most advanced yet most acceptable.” Mary Elizabeth Faulkner suggested “build trust” and “communicate in business terms.” “How do you compete with a lot of larger personalities” in corporate management?” Mark asked “…For me that was FAIR.” 

Doug Hubbard’s “FrankenSME” and other Calibration Techniques

The author of the How to Measure Anything books gave a mini-course on getting the most from data and forecasting, including rolling up your best subject matter experts into a FrankenSME with super estimating powers. 

JFAIR-CAM Detail - Featured Imageack Jones with Bryan Smith of RiskLens on How to Scale FAIR Programs with Controls Analytics

The sessions with Jack expounding on his new FAIR-CAM™ (FAIR Controls Analytics Model) will all be standing room only at FAIRCON22. This session had the added attraction of a preview of the integration of FAIR-CAM into the RiskLens cyber risk quantitative analysis platform.

Automation is the answer to scaling FAIR risk management, Jack said, but to get automation right requires carefully getting the scope, data and model right for risk assessment, as well as the controls environment, “the most complicated part of our problem space. Nothing else comes close.” FAIR-CAM aims to solve the automation problem and in the process many others. For instance, why do organizations fail so often at patching? By uncovering controls dependencies and interrelationships, FAIR-CAM will be a powerful diagnostic tool, Jack said.

Learn about FAIR-CAM

FAIRCON22 Netflix Slide DetailCase Study from Netflix: Answering 5 Objections to FAIR 

 Two FAIR veterans, Prashanthi Koutha and Tony Martin-Vegue use this technique: When they introduce FAIR to new stakeholders, they also present the common objections to quantitative risk analysis and the answers to turn doubts into support. For instance, #5 “It takes longer – we could do 15 red/yellow/green assessments in the time it takes you to do one FAIR.” The answer: yes, but only 10% longer and “all that cool stuff is just one extra step” of data gathering beyond all the other steps shared with coloring risks. 

Harnessing Voltage in Our FAIR Risk Programs 

Here’s a great example of the creative connections that go on at a FAIR Conference.  Zach Cossairt, a FAIR champion at Equinix as Information Risk Program Senior Manager and a graduate student of behavioral economics presented on scaling a FAIR program following the insights of John A. List, author of The Voltage Effect: How to Make Good Ideas Great and Great Ideas Scale. Example: how to construct “decision-making environments” that guide senior managers to make the right decisions. 

Read more from Zach

Case Study: Funko Scales a FAIR Program from a Standing Start 

Markus Kaufman, CISO for toymaker Funko, and his adviser Tom Callaghan of C-Risk, answered the question of how to scale from zero – make a three-year plan, starting with five high-level risk assessments and working up to board-level reporting. “Before getting an audience with the board was difficult,” Markus said. “Now, they’ve asked us to report on a quarterly basis.”

Watch a short video conversation with Markus

For the Federal Reserve, Cyber Risk = Business Risk = Systemic Risk

The struggle some FAIR evangelists face is convincing the business that cyber risk isn’t a technical risk only, it’s also business risk. The banking system is concerned about the next step up, cyber risk as systemic risk. Matthew Tolbert, Senior Cybersecurity Specialist, United States Federal Reserve, reported to the conference that, given the digital transformation of the banking industry, “a small control failure could fail the whole system.” It was disturbing to hear that banking regulators still require only qualitative risk reporting in many cases but encouraging that, Matt finds, large banks are now using FAIR in their Comprehensive Capital Analysis and Reviews (CCAR) for the Federal Reserve. 

Cyentia Unveils IRIS 2022, a Scaled Up New Release of their Quantitative Risk Reporting 

Wade Baker and David Severski of the research firm Cyentia have expanded and sharpened their well-known reporting on cyber risk, now applying machine learning to extract more data about loss events from public records. One surprise: Overall, the size of cyber losses has not grown in recent years, though there is an upward trend for loss among the most costly events. 

More about the Cyentia IRIS 2022 report

FAIRCON22 - Cyentia Presentation

And there was more: A case study on scaling FAIR for M&A and a Washington update from the Solarium Commission successor organization. Look for videos of all the sessions online for FAIR Institute members in the coming weeks.

FAIRCON22 - Party-jpg

FAIRCON22 Day One party at the DC Waterfront. 

FAIRCON22 - Party 2


Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37