You had to be there in Washington, DC, to appreciate the full range of cyber risk management advice and inspiration spread around on the final day of the 2024 FAIR Conference (FAIRCON24), the leading annual event for CISOs, CROs, cyber risk managers and other fans of cyber risk quantification and management. This year’s theme was "Managing Risk at the Speed of the Business."
Here’s a sampling of some of the sessions:
In a conversation with Todd Tucker, Managing Director, FAIR Institute, Jack reflected on his journey from creating FAIR on a whiteboard – and his struggle to overcome entrenched practices for assessing cyber risk based on non-quantitative, subjective means. “We work in a profoundly complicated problem space. To have a reasonable expectation that [holding a wet finger in the air] works is ridiculous. As much progress as we are making to better risk management, the vast majority is still that.” His optimistic view: “There is a transition period from one epoch or form of maturity to another and we are going through that now.”
The CEO of the data management, backup and recovery company dropped by for a fireside chat with Saket Modi, CEO of the FAIR Institute’s technical advisor, Safe Security with some fresh takes on cyber risk management thinking. He suggested risk managers take a resilience-first posture and identify “a minimum viable set of services that has to be up and running for your business to be a continuing operation” if attacked and plan controls accordingly. The goal is not an impossible target of preventing critical outages but “cutting the spike in loss magnitude” if they occur. “Bring prevention and recovery” into one program, he advised.
FAIRCON24 Exhibit Floor
Omar Khawaja, VP-Security and Field CISO at Databricks, dug deep behind the platitude that CISOs must be business-oriented to get at what that really takes - including insisting that IT/Data functions own their technology, not pushing management off to Security.
In this panel discussion, Erica Eager, creator of the FAIR Materiality Assessment Model (FAIR-MAM) urged cyber risk analysts to move beyond the old model of determining loss magnitude in FAIR analysis by just questioning SMEs on direct effects of a breach and “align with the CFO’s office” to consider loss as “anything that can interrupt cash flow.”
Chip Block VP/Chief Solutions Architect, Evolver, CEO/Chief Technologist, Kiwi Futures, cleared some of the haze around AI pointing out relevant features of the technology stack, all of them “contrary to everything we have been taught in cybersecurity”: “RAG (the interface between the foundational model and your data are the apps you actually interface with)...Probabilistic not deterministic (ask the model the same question twice and you may get two different answers…Dynamically generated code (written a different way each time - and it’s accessing your data).”
Those lengthy questionnaires that insurers send to CFOs to apply for cybersecurity insurance that security teams hate? Turns out that insurance underwriters hate them too. “I’m sure everyone in the room is frustrated with the applications,” said Meghan Hannes, Chief Underwriting & Claims Officer, K2 Insurance. “Just because it made sense in a former life doesn’t mean it has to be going forward. We need to find [new]sources of trust for our underwriting assumptions…to capture and reward the behavior of our clients.” She was seconded by Mark Wheeler, Co-Founder & Co-CEO, Mosaic Insurance, who said he is going with the implementation of FAIR-MAM on the Safe Security platform to capture the behavior of clients.
Iranga Kahangama (on the left), Assistant Secretary for Cyber, Infrastructure, Risk, and Resilience, US Department of Homeland Security and Jeff Greene (right), Acting Executive Assistant Director for Cybersecurity, CISA, had an onstage chat with Nick Sanna. Kahangama said that his agency is “not just focussed on quantifying risk but resilience capacity - quantifying the tradeoff between a resilience measure and the resilience itself.” Nick offered the cooperation of the FAIR Institute in the government’s quantification efforts.
Board member Suja Chandrasekaran, dropped a lengthy list of tips for CISOs seeking to improve their board reporting game, including:
>>Get a real taste of what’s happening in the company. Stay close to the latest strategy, understand the margin numbers. >>Spend a lot of time with your ERM team
>>Find a sympathetic board member and cultivate that relationship - but clear it through your CEO and General Counsel who are the official board-handlers.
David Spark and contestants
Next to last on the conference agenda: The CISO-centric game show hosted by David Spark, Executive Producer of the popular CISO Series podcasts. Two game CISOs, Anne Marie Zettlemoyer, Fellow, National Security Institute and Michael Levin, former Deputy CISO, 3M, competed to answer for bad what-if risk scenarios and other games, like this:
Which one is a Star Wars character and which is a security company? (We’re not giving away the answer; test yourself.)
Cody introduced FAIR to NASA and remains a space-program fan. He compared the development of FAIR to that of space travel:
1950-1970, the pioneer years with a focus on demonstrating feasibility
1970s-1990s, emphasis on scientific exploration
2000-present, goal of human presence and sustainability
With FAIR and CRQ, Cody concluded, we are in the pioneer era and heading higher to sustained presence in cyber risk management practice.
Jack expressed his “gratitude and amazement at how far we have come” and Nick invited us to come back next year with true stories about how we had assisted our business partners to “manage risk at the speed of the business” and become the “Dept. of Know not No.”
Over the next few weeks we will post the videos of the FAIRCON24 sessions on this site - so check back soon!