FAIRCON22 Day Two: How to Map Your Way to Better Security, Wow the Board, and More CRQ Success Stories
Let’s wrap up Day Two of the 2022 FAIR Conference, the leading gathering for practitioners of cyber risk quantification, including guidance from Jack Jones (creator of Factor Analysis of Information Risk - FAIR™), honors for three FAIR leaders, advice from CISOs who aced board appearances, and some serious questions asked about why cybersecurity spending doesn’t stop breaches. Read about Day One here.
Jack Jones Keynote on Trustworthy Risk Measurement
In his keynote speech on Day Two, Jack Jones led with the question “What’s the difference between trusting a risk measurement versus being able to defend a risk measurement?”
To answer his own question, Jack went into detail on these four markers of defensibility:
>>The clarity of a measurement’s scope
>>Accurate and relevant input data
>>A model that is logically and formulaically sound
>>Results that faithfully reflect uncertainty (ranges & distributions)
“If you can defend a risk measurement, then it’s reasonable to trust it,” Jack concluded. “If you can’t defend a risk measurement, it’s unreasonable to trust it.”
FAIR-CAM Spotted in the Wild at DropBox
Tyler Britton, Quantitative Cyber Risk Manager at Dropbox, demonstrated his ingenious, home-grown FAIR-CAM system to a very attentive crowd. It’s a 10-step process that can start as small as you need it to be, defining a set of controls, risk scenarios, attack chains, and layering on the related controls as specified in FAIR-CAM, rating their effectiveness, and ultimately quantifying reductions in loss exposure.
An immediate benefit: The DropBox audit and red teams are excited by the results and now “it’s making risk cool,” Tyler said.
Panel: Mapping the Leading Control Frameworks to FAIR-CAM
Moderator: Jack Jones, Chairman, FAIR Institute
Daniel Stone, Associate Director, Security & Privacy, Protiviti
Erin Macuga, Manager Risk and Information Security, Thrivent Financial
Robert Immella, Global Leader of Cyber Risk Quantification, Caterpillar Inc
Tyler Britton, Quantitative Cyber Risk Manager, DropBox
Drew Brown, Information System Security Developer, FAA
Add more controls from the NIST CSF or other frameworks and you achieve “maturity” in standard cybersecurity-think. But do you truly reduce risk? Mapping the controls in FAIR-CAM with their counterparts in the frameworks should enable you to answer that question. Jack Jones assembled a brave group of FAIR practitioners to map the connections with NIST CSF, CIS, NIST 800-53, ISO27000, MITRE, HITRUST and more, a task he described as “the stuff of nightmares.” Just look at some of the spider-web results:
FAIR Awards Ceremony
The FAIR community honors its own with awards every year. Here are the 2022 honorees and runners-up:
FAIR Ambassador Award
Winner
Caleb Juhnke, Sr. Risk Engineer, Equinix
Finalists:
Julian Meyrick, Managing Partner & Vice President, Security Strategy Risk & Compliance, Security Services, IBM
Adham Etoom, Head of Policy, National Cyber Security Center, Jordan
FAIR Champion Award
Recognizes leaders at the forefront of their organization’s FAIR initiative who get data owners on board, stakeholders to help improve analysis, and decision-makers to adopt the resulting analytics as an integral part of their strategies, decision-making processes, and operating rhythms.
Winner:
Neil Davis, Head of Cyber Risk Management, Maersk
Finalists:
Robert Herse, Information Security Manager, Quantitative Risk Management Program, Freddie Mac
Chris Mutzbauer, Lead Analyst, VETERANS UNITED
Business Innovator Award
Recognizes those risk professionals who have successfully applied FAIR principles to drive innovation.
Winner:
Cedric De Carvalho, Head of Group Cyber Risk, Richemont
Finalists:
Brenda Thayer, Senior Manager, Technology Risk, Fannie Mae
Matt Lathrom, Interim CIO at GEHA
Left to right: Jack Jones, Cedric de Carvalho, FAIR Institute Board Member Sounil Yu, President Nick Sanna
Panel on Board Communication: Don’t Do Stupid, Do Business Leadership
Moderator: Julian Meyrick, Managing Partner & Vice President, Security Strategy Risk & Compliance, Security Services, IBM
James Lam, Board Director & ERM Author
Michael Meis, Associate CISO, KU Health
Evan Wheeler, Sr. Director, Technology Risk Management, Capital One
A CISO going before the board should play this session on a loop for the many bits of actionable intel. Michael Meis, gave the basic objective: “Make them see you as a business leader instead of a security leader…FAIR provides some of that translation between typical security metrics and financial modeling.” James Lam put it more bluntly with three rules:
1. Don’t do stupid, for instance presenting qualitatively based results summarized in a heat map
2. Don’t do lazy, as in describing risk as non-performance of a business objective – downtime, for instance. “No, the risks are the underlying conditions and variables that lead to downtime”.
3. Don’t do boring. Listing your major accomplishments, giving progress reports. “We don’t want to spend our time listening to how you spent your time. What we want to know is, are you doing your job effectively.”
Message from Gartner: Scale Your Cyber Risk Management Program by Partnering with Enterprise Risk Management
Cyber risk equals business risk, and John Button, Principal Enterprise Risk Advisor from Gartner, the leading tech industry consultancy, made the case that the pieces are in place – FAIR risk model, risk management framework (such as ISO 31000) and FAIR-CAM – for a breakthrough collaboration between CRM and ERM to seamlessly scale risk management across the organization.
Conference Closes with a Dose of Reality and Hope
Conference organizers invited Derek Johnson, Senior Reporter, SC Media for a report from the cybersecurity front lines from a different viewpoint, and the view was dark. Despite all the spending on cybersecurity, breaches continue, mostly through supply chain attacks or social engineering. Johnson questioned whether the truth is that “organizations can’t or won’t adapt” and just look on cyber loss exposure as a “cost of doing business.”
Jack Jones wrapped this final FAIRCON22 session with a more optimistic message that security and risk professionals can gain the upper hand. The real question, he said, is “with all those resources, are they prioritizing effectively? Let’s look honestly at our profession in the mirror and do a little root cause analysis.”