I had the fun, engaging, energizing, and informative pleasure of attending the 10th Annual FAIR Conference in New York City this year with our team from GuidePoint Security.
This blog post is contributed by GuidePoint Security, a FAIR Institute sponsor. Author Ben Moreland is Risk Practice Director at GuidePoint Security
The cyber risk management community there was great, breakout sessions were packed with lessons learned, and the sessions, education, and content were extremely engaging. I took away more than four findings, but I couldn’t resist the consonance of this catchy title.
Here are four findings (or key takeaways) that resonated with me:
- How you COMMUNICATE risk is as important as how you MEASURE risk.
Jack Jones and the FAIR community have given scientific and mathematical rigor to risk modeling and analysis. But that doesn’t mean you need to be a mathematician to know, understand, and communicate cyber risk.
Using the FAIR model provides measurable, data-driven analysis that enables decision making. Being able to communicate risk in dollars and probabilities is one of many frequencies that may resonate with your board or audit committee.
Traditional qualitative “measures” and stoplight colors provide an at-a-glance understanding of risk; but having measured, accurate, risk ranges with impact and probability add significantly more confidence to the executive team for conversations around information and cybersecurity investments, trade-offs, and prioritization.
- Risk decision intelligence is a force multiplier
Reframing “Cyber Risk Quantification” to “Cyber Decision Intelligence” was a challenge posed to conference attendees by Saket Modi, CEO of SAFE. Thinking of it another way, cyber risk quantification is the action, but decision intelligence is the outcome.
The late, great, venerated General Colin Powell was quoted with "Perpetual optimism is a force multiplier". I’m a huge fan of Colin Powell and would like to borrow from him in stating “risk decision intelligence is (also) a force multiplier”.
When I led Information Security for a media company I was often asked by peers and other executives: “Are we secure?”. As simple and generic as that statement is – they were serious. And as CEOs, CIOs, CFOs, and other executives rely on big data and business intelligence to amplify their ability to make decisions that drive and grow their business, so, too, should CISOs and other cyber executives.
- Compliance is your floor, not your ceiling
“Compliance is your floor, not your ceiling”, are words I’ve heard Alla Valente, Principal Analyst at Forrester, utter before, but at FAIRCON, they hit a nerve. Compliance is important – AND – you don’t have to stop there.
At GuidePoint Security, we help manage and treat risk for so many customers. In contrast, I’ve seen too many organizations limit their IT+information+cyber-security programs to meet compliance requirements and audit standards.
Sometimes a shiny new tool or popular platform that vendors are marketing and CISOs are raving about get added to the security stack too. But, as we know, being compliant and having cool security tools doesn’t make your organization and data “secure”.
While 100% cyber risk elimination isn’t possible in today’s digital age, compliance with regulations and standards linked to SOX, PCI, CMMC, HIPAA, NIST and others is only the beginning, a catalyst.
Governance, Risk and Compliance (GRC) leaders need to correlate risks in the context of business strategies. Cyber risk quantification or – to use a new and emerging term – cyber business intelligence – aims to do just that. So I encourage GRC leaders, risk managers, cyber executives to evolve their programs beyond compliance if they’re not doing so already.
- Quantifying cyber risk is a journey, we’re all at different stages
FAIR Institute Founder, Nick Sanna, opened the FAIRCON25 welcome address with “The Future of Cyber Risk Management Starts Here.” As I met with, spoke with, and listened to attendees, I really understood the journey we are on together.
Students I met from Georgetown University and Harvard are learning fundamentals and frameworks around cyber risk management. Several risk managers I spoke with or heard from identified pain points and lessons learned in moving qualitative third-party risk management to a more continuous, autonomous, quantitative risk-aligned program. Executive speakers demonstrated a variety of ways risk may be communicated and reported.
Each offered valuable insights into risk management stages. The best part of the conference for me was knowing I’m on the journey with a like-minded community all focused on a similar mission to improve cyber risk management.
Learn more about quantifying your cyber risk.
