The theme of this year’s FAIR Conference (FAIRCON22) is “scale,” as in expanding use of the international standard for quantitative risk analysis for ever more ambitious risk management programs. But FAIR has scaled up into a movement, too, and the range and variety of thought and energy generated by FAIR followers was on full display at the conference. Here’s a run through the agenda for the first day. See a report on Day Two of FAIRCON22
FAIR Institute President Nick Sanna Welcomes All with 10 Reasons Why FAIR Rules
Nick counted down the quantitative proof: FAIR Institute membership close to 14,000 representing 139 countries, 10,000 have completed FAIR training including 1,200 certified. More reasons for FAIR’s position as the international standard for quantitative risk analysis: It’s an open and defensible standard while proprietary models may not be, FAIR analytics work across risk domains beyond cyber, it’s a true value at risk and an added value to risk and control frameworks. Nick also announced some coming attractions for the Institute:
- A new resources platform for the website
- A new Slack platform for members to seek and give advice
- A tiered membership system with enhanced privileges
Larry Clinton Makes a Plea to Re-Focus Cybersecurity on Cyber Risk Economics
The President of the Internet Security Alliance, the Washington think tank/lobbying organization said that if cybercrime were an economy, it would be the biggest in the world at $6 trillion. We need to attack the problem on an economic level, he argued, and “mandate or incentivize organizations to do a sophisticated cyber risk assessment.”
CISO Panel on Making the Change to a Risk-based Corporate Culture
Moderator: Omar Khawaja, CISO, Highmark Health
Mark Tomallo, SVP, CISO, Victoria’s Secret
Mary Elizabeth Faulkner, CISO, Thrivent Financial
Jeff Norem, Deputy CISO, Freddie Mac
For anyone introducing FAIR, this session was a lot of well-honed advice from FAIR leaders who’ve been there. Mark Tomallo urged FAIR advocates to go for “progress over perfection” and Omar Khawaja put a bit of a different spin on that: follow the MAYA principle from the design world, “most advanced yet most acceptable.” Mary Elizabeth Faulkner suggested “build trust” and “communicate in business terms.” “How do you compete with a lot of larger personalities” in corporate management?” Mark asked “…For me that was FAIR.”
Doug Hubbard’s “FrankenSME” and other Calibration Techniques
The author of the How to Measure Anything books gave a mini-course on getting the most from data and forecasting, including rolling up your best subject matter experts into a FrankenSME with super estimating powers.
Jack Jones with Bryan Smith of RiskLens on How to Scale FAIR Programs with Controls Analytics
The sessions with Jack expounding on his new FAIR-CAM™ (FAIR Controls Analytics Model) will all be standing room only at FAIRCON22. This session had the added attraction of a preview of the integration of FAIR-CAM into the RiskLens cyber risk quantitative analysis platform.
Automation is the answer to scaling FAIR risk management, Jack said, but to get automation right requires carefully getting the scope, data and model right for risk assessment, as well as the controls environment, “the most complicated part of our problem space. Nothing else comes close.” FAIR-CAM aims to solve the automation problem and in the process many others. For instance, why do organizations fail so often at patching? By uncovering controls dependencies and interrelationships, FAIR-CAM will be a powerful diagnostic tool, Jack said.
Case Study from Netflix: Answering 5 Objections to FAIR
Harnessing Voltage in Our FAIR Risk Programs
Here’s a great example of the creative connections that go on at a FAIR Conference. Zach Cossairt, a FAIR champion at Equinix as Information Risk Program Senior Manager and a graduate student of behavioral economics presented on scaling a FAIR program following the insights of John A. List, author of The Voltage Effect: How to Make Good Ideas Great and Great Ideas Scale. Example: how to construct “decision-making environments” that guide senior managers to make the right decisions.
Case Study: Funko Scales a FAIR Program from a Standing Start
Markus Kaufman, CISO for toymaker Funko, and his adviser Tom Callaghan of C-Risk, answered the question of how to scale from zero – make a three-year plan, starting with five high-level risk assessments and working up to board-level reporting. “Before getting an audience with the board was difficult,” Markus said. “Now, they’ve asked us to report on a quarterly basis.”
For the Federal Reserve, Cyber Risk = Business Risk = Systemic Risk
The struggle some FAIR evangelists face is convincing the business that cyber risk isn’t a technical risk only, it’s also business risk. The banking system is concerned about the next step up, cyber risk as systemic risk. Matthew Tolbert, Senior Cybersecurity Specialist, United States Federal Reserve, reported to the conference that, given the digital transformation of the banking industry, “a small control failure could fail the whole system.” It was disturbing to hear that banking regulators still require only qualitative risk reporting in many cases but encouraging that, Matt finds, large banks are now using FAIR in their Comprehensive Capital Analysis and Reviews (CCAR) for the Federal Reserve.
Cyentia Unveils IRIS 2022, a Scaled Up New Release of their Quantitative Risk Reporting
Wade Baker and David Severski of the research firm Cyentia have expanded and sharpened their well-known reporting on cyber risk, now applying machine learning to extract more data about loss events from public records. One surprise: Overall, the size of cyber losses has not grown in recent years, though there is an upward trend for loss among the most costly events.
And there was more: A case study on scaling FAIR for M&A and a Washington update from the Solarium Commission successor organization. Look for videos of all the sessions online for FAIR Institute members in the coming weeks.
FAIRCON22 Day One party at the DC Waterfront.