Experienced FAIR practitioner or recent adopter, the keynote speech on Day One of the FAIR Conference (FAIRCON22) by Larry Clinton, President, Internet Security Alliance (ISA), will give you a wider perspective on the importance of your work in cyber risk quantification for your organization and beyond.
How Risk Economics Can Help Us Win the Battle in Cyberspace
Tuesday, September 27, 9:00-10:00 AM
Attend in person at the Mandarin Oriental Hotel in Washington, D.C
Or in a virtual session
Larry Clinton is a veteran activist in the field of public policy and corporate governance for high technology. He’s also a longtime supporter of FAIR (Factor Analysis of Information Risk). His key argument is that “cybersecurity has been largely mis-analyzed by business and government. Most people in the space regard cybersecurity as technical operational mission. The technology is just how the attacks occur. We need to get at why attacks occur – almost always for economic reasons.”
The ISA and the National Association of Corporate Directors (NACD) developed the Cyber-Risk Oversight Handbook, which has been highly influential in re-orienting boards – and the CISOs and other executives who report to them – to see cyber risk in the economic terms they see other strategic risks.
Lately, Larry has been working with the World Economic Forum to promote the idea that cybersecurity is one of the environmental, social and governance (ESG) issues that organizations must confront for both corporate and social stability.
On the public policy side, Larry and the ISA have recently advocated for a national cybersecurity academy, much like the military academies though offered through many universities. Students would receive a free education in return for a 5-year commitment to serve in a government cyber job. “We could educate 10,000 students a year,” he says, and clear up the talent shortage in the field. “We can’t solve any of our cybersecurity issues until we have an adequate workforce.”
For motivation, Larry says, public and private leaders should look over their shoulders to the Chinese. Their Digital Silk Road program, funded at $1.4 trillion over the next five years, is an “incredibly effective” strategy. “The United States doesn’t even have a strategy. It’s mostly tactics, which are good and important -- information sharing programs, standards development, framework development -- but that’s not a strategy.”
“Starting from the point of view that we are losing this (cybersecurity) fight because we are not analyzing it properly, we should rip out all the traditional regulatory models (such as) massive checklists that are totally unrelated to anything economic…We need to insist organizations do a more sophisticated cyber risk assessment. FAIR would be one of the key ways to do that.
“FAIR in a very consistent way integrates economics, empiricism and risk and allows an organization to begin to make assessments on cyber in a similarly sophisticated way that they do with other risks. It’s a major innovation and should be heavily promoted.”