FAIRCON22 Day Two: How to Map Your Way to Better Security, Wow the Board, and More CRQ Success Stories

FAIRCON22 - HallwayLet’s wrap up Day Two of the 2022 FAIR Conference, the leading gathering for practitioners of cyber risk quantification, including guidance from Jack Jones (creator of Factor Analysis of Information Risk - FAIR™), honors for three FAIR leaders, advice from CISOs who aced board appearances, and some serious questions asked about why cybersecurity spending doesn’t stop breaches.  Read about Day One here

Jack Jones Keynote on Trustworthy Risk Measurement 

FAIRCON22 Jack Jones KeynoteIn his keynote speech on Day Two, Jack Jones led with the question “What’s the difference between trusting a risk measurement versus being able to defend a risk measurement?”

It’s a critical distinction, he said, for risk management professionals who too often ask stakeholders to trust a risk judgment they can’t themselves defend. And, as the risk management profession moves toward automating cyber risk quantification, it’s an urgent question; faulty risk measurement would mean that automation will only generate “wrong answers faster,” he said.

To answer his own question, Jack went into detail on these four markers of defensibility:

>>The clarity of a measurement’s scope

>>Accurate and relevant input data

>>A model that is logically and formulaically sound

>>Results that faithfully reflect uncertainty (ranges & distributions)

“If you can defend a risk measurement, then it’s reasonable to trust it,” Jack concluded. “If you can’t defend a risk measurement, it’s unreasonable to trust it.”

FAIR-CAM Spotted in the Wild at DropBox 

FAIRCON22 FAIR-CAM Mapping Slide

FAIR-CAM™ (the FAIR Controls Analytics Model, new from Jack Jones), generated much excitement at FAIRCON (Jack also presented on Day One with a demo of a FAIR-CAM integration prototype with the RiskLens analytics platform) but actual implementations of FAIR-CAM are still rare.

Tyler Britton, Quantitative Cyber Risk Manager at Dropbox, demonstrated his ingenious, home-grown FAIR-CAM system to a very attentive crowd. It’s a 10-step process that can start as small as you need it to be, defining a set of controls, risk scenarios, attack chains, and layering on the related controls as specified in FAIR-CAM, rating their effectiveness, and ultimately quantifying reductions in loss exposure.

An immediate benefit: The DropBox audit and red teams are excited by the results and now “it’s making risk cool,” Tyler said. 

Panel: Mapping the Leading Control Frameworks to FAIR-CAM

Moderator: Jack Jones, Chairman, FAIR Institute

Daniel Stone, Associate Director, Security & Privacy, Protiviti

Erin Macuga, Manager Risk and Information Security, Thrivent Financial

Robert Immella, Global Leader of Cyber Risk Quantification, Caterpillar Inc

Tyler Britton, Quantitative Cyber Risk Manager, DropBox

Drew Brown, Information System Security Developer, FAA

Add more controls from the NIST CSF or other frameworks and you achieve “maturity” in standard cybersecurity-think. But do you truly reduce risk? Mapping the controls in FAIR-CAM with their counterparts in the frameworks should enable you to answer that question. Jack Jones assembled a brave group of FAIR practitioners to map the connections with NIST CSF, CIS, NIST 800-53, ISO27000, MITRE, HITRUST and more, a task he described as “the stuff of nightmares.” Just look at some of the spider-web results:

FAIRCON22 - FAIR-CAM Mapping to Controls Frameworks

Why so complicated? “FAIR-CAM provides a recipe for putting the ingredients together...but those controls have no real relation to each other sometimes [in the frameworks],” said mapping team member Daniel Stone.

FAIR Awards Ceremony

The FAIR community honors its own with awards every year. Here are the 2022 honorees and runners-up:

FAIR Ambassador Award

FAIRCON22 - Caleb Juhnke Winner FAIR Award 2Recognizes a member’s work in bringing FAIR knowledge and the FAIR Institute to a new geography or a new industry.

Winner

Caleb Juhnke, Sr. Risk Engineer, Equinix

Finalists:

Julian Meyrick, Managing Partner & Vice President, Security Strategy Risk & Compliance, Security Services, IBM

Adham Etoom, Head of Policy, National Cyber Security Center, Jordan

FAIR Champion Award

Recognizes leaders at the forefront of their organization’s FAIR initiative who get data owners on board, stakeholders to help improve analysis, and decision-makers to adopt the resulting analytics as an integral part of their strategies, decision-making processes, and operating rhythms.

Winner:

Neil Davis, Head of Cyber Risk Management, Maersk

Finalists:

Robert Herse, Information Security Manager, Quantitative Risk Management Program, Freddie Mac

Chris Mutzbauer, Lead Analyst, VETERANS UNITED

Business Innovator Award

Recognizes those risk professionals who have successfully applied FAIR principles to drive innovation. 

Winner:

Cedric De Carvalho, Head of Group Cyber Risk, Richemont 

Finalists:

Brenda Thayer, Senior Manager, Technology Risk, Fannie Mae

Matt Lathrom, Interim CIO at GEHA 

FAIR Awards - Cedric De Carvalho

Left to right: Jack Jones, Cedric de Carvalho, FAIR Institute Board Member Sounil Yu, President Nick Sanna

 

Panel on Board Communication: Don’t Do Stupid, Do Business Leadership

FAIRCON22 - Board Panel copy

Moderator: Julian Meyrick, Managing Partner & Vice President, Security Strategy Risk & Compliance, Security Services, IBM

James Lam, Board Director & ERM Author

Michael Meis, Associate CISO, KU Health

Evan Wheeler, Sr. Director, Technology Risk Management, Capital One 

A CISO going before the board should play this session on a loop for the many bits of actionable intel. Michael Meis, gave the basic objective: “Make them see you as a business leader instead of a security leader…FAIR provides some of that translation between typical security metrics and financial modeling.” James Lam put it more bluntly with three rules: 

1. Don’t do stupid, for instance presenting qualitatively based results summarized in a heat map

2. Don’t do lazy, as in describing risk as non-performance of a business objective – downtime, for instance. “No, the risks are the underlying conditions and variables that lead to downtime”.

3. Don’t do boring.  Listing your major accomplishments, giving progress reports. “We don’t want to spend our time listening to how you spent your time. What we want to know is, are you doing your job effectively.”

Message from Gartner: Scale Your Cyber Risk Management Program by Partnering with Enterprise Risk Management

FAIRCON22 - Gartner ERM and CRM

Cyber risk equals business risk, and John Button, Principal Enterprise Risk Advisor from Gartner, the leading tech industry consultancy, made the case that the pieces are in place – FAIR risk model, risk management framework (such as ISO 31000) and FAIR-CAM – for a breakthrough collaboration between CRM and ERM to seamlessly scale risk management across the organization.

Conference Closes with a Dose of Reality and Hope

Conference organizers invited Derek Johnson, Senior Reporter, SC Media for a report from the cybersecurity front lines from a different viewpoint, and the view was dark. Despite all the spending on cybersecurity, breaches continue, mostly through supply chain attacks or social engineering. Johnson questioned whether the truth is that “organizations can’t or won’t adapt” and just look on cyber loss exposure as a “cost of doing business.”

Jack Jones wrapped this final FAIRCON22 session with a more optimistic message that security and risk professionals can gain the upper hand.  The real question, he said, is “with all those resources, are they prioritizing effectively? Let’s look honestly at our profession in the mirror and do a little root cause analysis.”

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37