FAIR Institute President Nick Sanna promised a “future-shaping conference,” as he opened the 2023 FAIR Conference (FAIRCON23) on Tuesday, October 17, in Washington, DC. “Every year we dare to stretch the limits of what is possible in risk management…and then along with all of you, work in the pursuit of that.”
Nick Sanna delivers opening address of 2023 FAIR Conference
This year, Nick said in his keynote, the conference would go after the leading-edge issues in risk management:
>>New regulations on cyber risk disclosure from the SEC and European authorities
>>Unprecedented risks from Generative AI
>>The unsolved and growing risk from third parties
>>”Dramatic acceleration of innovation driven by consolidation” of the companies that had pioneered CRQ
FAIRCON Makes News
Literally within minutes of Nick’s speech, the FAIR Conference made news:
>>The Institute released a website “How Material Is that Hack?” (HowMaterialIsThatHack.org) for calculating the material impact of high-profile data breaches and other cyber loss events, based on the Institute’s new FAIR Materiality Assessment Model (FAIR-MAM™). The Wall Street Journal covered the release of the website, saying it would “help companies comply with SEC disclosure rules.”
>>Nick led a news-making keynote discussion with Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, and Federal CISO Chris DeRusha that The Wall Street Journal headlined as “Federal Cyber Chief Tells Agencies to Tap Brakes on AI.” “We can’t just break the rules and have use without understanding the risk,” DeRusha told the FAIR Conference audience.
Also in the news:
The FAIR Institute released its annual Cybersecurity Risk Report to provide “CISOs, CFOs and other business decision-makers the clearest visibility into the financial impact of cyber risks, based on quantitative analysis of actual cyber incidents through 2023.” The report was produced with data science and other research by Safe Security, technical advisor to the Institute and the global consulting firm EY. Download a free copy.
The Institute named the winners of the annual FAIR Awards:
>> Business Innovator: Ted Webster, Chief Security & Risk Officer, Centene
>> FAIR Champion: Krishna Sheshabhattar, Director, Security Risk, Expedia
>>FAIR Ambassador: Mohamed Abdul Rahim & Adham Etoom, Co-Chairs, Jordan Chapter
Read the news release: FAIR Institute Award Winners Announced at 2023 FAIRCON Honoring Excellence in Cyber Risk Management
Krishna Sheshabhattar receives FAIR Champion Award
Among the Highlights from the 2023 FAIR Conference
Sessions with Original Thinkers
Douglas Hubbard, author of How to Measure Anything, the estimation guru who Jack Jones credits as a major influence on his development of Factor Analysis of Information Risk (FAIR™). gave a talk on “Integrated Decision Management for Cybersecurity” and told his audience that “the major components of decision making are among the least measured in any organization… One of the first steps is starting to track the performance of SMEs, decision makers, and models. Don’t assume they work.”
Another guru in the field, Kevin Mandia, the CEO of Mandiant, the threat intelligence and incident response firm acquired by Google last year, sat down for a fireside chat with Saket Modi, CEO of Safe Security, the technical adviser to the FAIR Institute, that was at times hilarious and hair-raising in his descriptions of the battle lines of cybersecurity. Speaking of the Institute’s work with materiality assessment, he said “I like what you’re doing trying to measure ahead of time [for ransomware]. Likelihood is a little harder but impact is absolutely measurable ahead of time.”
Hands-on Advice from the Field
Neil Davis of shipping giant Maersk told of implementing FAIR following the disastrous NotPetya attack of 2017. Going quantitative enabled his team to “shift left, become part of decision making process” but also attracted a surplus of work. FAIR analysis “becomes a requirement” and “suddenly you’re asked to analyze other types of risk.”
Jon Oppenhuis, Director, Risk Strategy and Success, Safe Security, and Zach Cossairt, Integrated Risk Program Senior Manager, Equinix, presented a white paper, The Safe Security Blueprint for CRQM Program Development, a detailed look at building a FAIR-based program, with action steps to approach visibility, treatment, and communication of risk.
Fresh Takes on Old Problems
Sarah Sullivan, Thomas Jefferson University, and Adam Wells, Yum! Brands, joined Pankaj Goyal, FAIR Institute Director of Standards and Research to take on “Third-Party Risk Management: Time to Re-Think?” with a novel way of looking at leveraging influence on a business partner to reduce risk.
Cyentia presentation
Wade Baker of Cyentia Institute raining risk went deep into the data on cloud security for his talk “Is It Raining Risk” and came. Up with many insights, such as: “Organizations with cloud-heavy architectures tend to report higher achievement of resilience outcomes. But the evidence also suggests the early to mid stages of cloud migration may erode resilience.”
CISO Track – An Education in GenAI
This year, the FAIR Conference offered exclusive sessions for CISOs and other C-suiters, among them a 90-minutes workshop on Managing Generative AI Risk, led by Omar Khawaja, Field CISO for Databricks, Board Member and Faculty Member at Carnegie Mellon University, and an important thinker on FAIR program development. Omar was assisted by Arun Pamulapati of Databricks, plus Jacqueline Lebo and Zach Kramer of Safe Security. Topics from the syllabus started with Machine Learning Essentials and continued through Assessing ML Risks in Your Environment. Read Omar’s take on artificial intelligence in this blog post: Restoring the CISO’s Superpower to Work on Generative AI.
And there was more:
>>Robert Rodriquez, Chairman and Founder, SINET, led a forward-looking discussion with CISOs from Rolls-Royce, Department of Energy, Expedia and others.
>>Longtime FAIR practitioner Jack Whitsitt of Ostrich Cyber-Risk presented a new way to approach risk scenarios
>>Robert Moore of MasterCard presented a form of risk reporting designed for “cutting through
You don’t have to miss any of the action. Join the FAIR Institute as a Contributing Member and gain access to all the videos of the FAIRCON23 sessions as we put them online in the coming weeks.
