It’s a powerful concept in innovation laid out in the Jobs to Be Done theory: Know what your user hopes to accomplish and provide the solution to that specific need. In planning the 2018 FAIR Conference (October 16-17, Carnegie Mellon University, Pittsburgh), the FAIR Institute built the conference agenda with an eye on the jobs that conference attendees (and their organizations) need to get done.
Actually, the FAIR model has always been “Jobs”-oriented. FAIR analysts listen carefully to the needs of stakeholders in order to tightly define a risk scenario that can be analyzed in the financial terms that support decision making.
Here are some of the Jobs you can learn to accomplish through the sessions (and hallway conversations with CISOs, CROs and other cyber and operational risk management executives):
Register for the 2018 FAIR Conference, October 16-17, Carnegie Mellon University, PittsburghSee video highlights from FAIRCON 2017.
Presenting to the Board
One of the most common uses of FAIR is to create a Top 10 List of cyber risks for the Board and senior management. For starts, FAIR helps to clarify what’s really a risk with a potential loss and what’s a controls deficiency—a staple of cyber risk reporting to the Board that doesn’t further any of the Board’s Jobs. The FAIRCON session “Reporting to the Board: What Got You Here Won't Get You There” will be led by Omar Khawaja, CISO at Highmark Health, who leads one of the most extensive corporate FAIR programs.
Estimating ROI of Cybersecurity
Many FAIR-powered organizations use the model to game out two competing approaches to cybersecurity controls, to see which delivers more risk reduction for less cost. Conference attendees will hear a panel discussion “Shifting the Discussion to Cost-Effective Decision Making” with Chris Correia from Ascena Retail Group and more experienced FAIR practitioners sharing tips on cyber risk quantification for ROI strategizing.
Securing Budget for the Projects You Need
Budget is top of mind for everybody, and several sessions will educate you on the skills needed to sell a FAIR-based program to your organization and win the funding you need. A panel discussion on "How to Get the Buy-In for a Quantitative Risk Management Program from Your IT Security/Risk Council" features Jack Freund from TIAA (co-author of the FAIR book with Jack Jones) and Tim Titcomb from Fidelity among others, and another panel on "Bridging the Gap Between the CISO & the CRO" will cover that critical relationship, in a discussion moderated by James Lam, Chairman of the Risk Oversight Committee at E*TRADE Financial.
Buying Cyber Insurance
Cyber insurance premiums are expected to triple over the next few years—but do buyers really understand what they’re paying for? If infosec risk managers can’t answer – in financial terms – the basic questions of “How much risk do we have?” and “What are our top risks?” then they can’t answer to “How much cyber insurance should we buy?” The panel discussion “Using FAIR to Optimize Your Cyber Insurance Coverage” will be led by a true authority in the field, Chip Block from Evolver, with panelists from Aon, Marsh, ProPath Services LLC and law firm Axinn, Veltrop & Harkrider LLP.
Complying with Regulations
NYDFS, GDPR, SEC, HITRUST—chances are you are subject to the increasingly demanding cybersecurity requirements from one of those agencies or soon will be from your industry’s regulator. The discussion “How FAIR Can Help Meet Regulatory Requirements” will show how risk quantification is your answer, if satisfying the regulators is your Job to Be Done. Panelists include Greg Rothauser from MassMutual, Allison Seidel from PNC, Samuel Tran from Honeywell and Rachel Slabotsky from RiskLens.