FAIRCON24 Day 1: FAIR Goes Mobile App, CISOs Go Round the Table, Third Party Risk Managed, and More
The 2024 FAIR Conference, the premiere annual event for CISOs and other cyber risk management leaders, kicked off in Washington, DC, today with a packed agenda covering AI, third party risk, cybersecurity regulations and the cutting edge in Factor Analysis of Information Risk, a mobile app for instant answers on an organization’s FAIR-analyzed risk posture. Here’s a quick look at the first day of FAIRCON24:
Nick Sanna Welcome Address
The FAIR Institute’s Founder began his welcome address asking how many in the audience were first-time FAIRCON attendees – and a huge number of hands went up, indicative of the growth in the FAIR movement, now up to 16,000 Institute members world wide. Nick charted the growth in acceptance of FAIR, from the first FAIRCON in 2016, when the goal was just to know “how much risk do we have?” to FAIRCON24, with the theme of “managing risk at the speed of the business” at a time when every business needs to act like a startup.
Introducing Our New FAIR Institute Managing Director, Todd Tucker
Nick introduced Todd who is bringing in fresh ideas from his experience managing the TBM Council. Todd listed four new initiatives for the FAIR Institute:
–Expand Research, such as development of an open and online CRQ framework
–Elevate FAIR to C-Suite and Board, starting with a new FAIR introductory course for executives on Coursera.
–Advance the Cyber Risk Profession, such as offering a FAIR certification to practitioners
–Engage and Expand the Community. Todd gave an open invitation to the membership to get more involved in the Institute as chapter hosts, trainers, content creators and members of research boards.
Join the FAIR Institute now with a free membership!
Saket Modi Presentation
The Big Product Announcement: SAFE X Mobile FAIR-powered App
Safe Security, the technical sponsor and major contributor to the Institute, introduced SAFE X, the GenAI-powered cybersecurity assistant for CISOs. The app (available for a trial on the App Store) is based on the SAFE One platform that automates FAIR analysis (for FAIR fans, that’s specifically Threat Event Frequency, Susceptibility and Loss Magnitude). As Safe Security CEO Saket Modi demoed, the mobile assistant updates continuously with feeds from security telemetry interpreted by AI, and offers instant “what-if” analysis for risk mitigations. The result is a “decision-making model” for CISOs, Saket said. See the SAFE X introduction video.
The Legendary John Chambers Drops In
The man who built Cisco into a networking powerhouse, John Chambers, dropped in for a casual chat with Saket Modi. Chambers, now Chairman Emeritus of Cisco and an investor in cyber companies (including Safe Security), sees the two major tech trends of the next few years as cybersecurity and AI. “AI is going to accelerate” business competition “beyond all recognition,” he says. “If you don’t disrupt yourself, you will get disrupted by others.”
FAIR Institute Award Winners Announced
At the Day 1 Gala Dinner, we announced the winners of the annual FAIR Institute Awards - get the details here.
Slices of Advice from the Sessions
“Establishing the CISO as an Indispensable Business Partner”
Susan Chiang, CISO, Headway
CISOs need to “understand the motivations of the business…If you don’t understand the business well enough to be a board director, you will probably not be effective as a CISO.”
–Michael Johnson, CISO, Meta Financial
“Reframe your role from managing risk to be about growth and where can we go.”
–Susan Chiang, CISO, Headway
“Do We Need Cyber Expertise at the Board Level?”
“25% of CISOs now have direct lines to the Chairman of the Board. That’s a major change. This group sitting here today is becoming critically important”
–Michael Coden, Senior Advisor, BCG
“Empowering Business Decisions through CRQ: Insights from the Practitioner's Perspective”
Grace Gair speaks at practitioner session
“I have most often seen a cyber risk quantification program go off the rails for three things:
"Timing - what things are happening in the organization in the next 12-18 months that are going to impact your planning?
"Stakeholders. How are things piling up on their plates? This is a change management effort.
"Narrative. What are the organization’s big strategic objectives and can you tie your CRQ effort to any of those?”
--Grace Gair, Director, Technology Risk Management, Capital One
“Healthcare CISO Roundtable on Cyber Risk Management”
The 2024 FAIR Conference featured roundtables for invited CISOs by industry verticals: Healthcare, Financial Services, Energy/Utilities, Consumer/Retail/Hospitality. The longer-term plan is for these groups to feed standing research boards for the Institute. Comments by roundtable participants are kept anonymous outside the roundtable room.
The Healthcare roundtable held a penetrating discussion on risk raised by AI - as one participant called it, “the most complex technology for security.” Discussion covered the similarities to the familiar risk landscape (risk of data exfiltration, for example) and the new phenomena (like “integrity risk”, the tendency for models to drift, requiring ongoing human supervision).
“CISO Liability: How Not to Get Singled Out in an Evolving Regulatory Environment”
CISO Liability Panel
What a change from last year’s FAIRCON when fear was rampant in the CISO community that the Securities and Exchange Commission’s enforcer (and FAIRCON23 guest speaker) David Hirsch would come after them for violating a 4-day rule to determine and report on cyber incidents of material risk. Hirsch, now in private practice at McGuireWoods LLP, told FAIRCON24 that the CISO community jumped on “defensive 8-K” disclosures of events without making a determination of material risk, surprising the SEC. As it turned out, the only enforcement actions the agency took were over lack of internal communication in companies, resulting in misleading public statements. The takeaway, he said, is “it’s valuable to have a shared (risk) terminology” within your staff.
“Beyond Boundaries - Orchestrating Cyber Resilience Across First and Third Party Risk”
“We’re seeing more vendors are pushing back on the questionnaires. If they don’t do a risk assessment do we not do business with them?”... (It’s time to) “think about continuous monitoring - risk assessment without a questionnaire.”
–Juanita Bates, Director Cybersecurity Governance Risk & Compliance, Jefferson Health
“Developing an Effective Cyber Risk Management Program in Today's Digital Landscape”
Brian Allen, SVP, Technology Risk Management; Fmr. CSO, Time Warner Cable and Brandon Bapst, Cyber Risk Advisor, EY introduced some principles from their cyber risk management program framework. Example:
“Embracing a True Risk-Based Approach to TPRM”
Meena Martin, VP, Cyber Risk and Assurance, GSK, presented a three-layer, automated approach to quantifying third party risk, starting with the individual employee level, up through the vendor level and on to the organization’s controls.
Note: Videos of all the FAIRCON24 will be posted on the FAIR Institute website over the near future. So come on back!
Join the FAIR Institute - get a free membership.