“It’s an important transition that needs to be made” to launch and establish a FAIR program, FAIR creator Jack Jones said, opening a panel discussion at the recent FAIR Institute London Summit, but one that takes patience and persistence to evolve an organization from assessing cybersecurity as a technical audit function to a focus on the business impact of cyber risk.
On the panel with Jack:
>>Paul de Luca, Head of Cyber Risk at HPE>>Laura Voicu Manager, Security Assurance and Risk Management, Infosec at Elastic
Watch the panel discussion on compliance vs. risk-based cybersecurity now.
A FAIR Institute Contributing Membership is required to view. Join now!
Laura set some useful terms for the discussion:
“We should not forget the original intent of compliance-based regimes, basically because they generally yield a good, reasonable baseline for security. The problem arises when checklist-based compliance becomes the goal on its own. The incentive is to check a box rather than understand the intent which is to reduce risk.”
Here are more of the tips, insights and frustrations voiced:
The primary advantage of a risk-based approach to cybersecurity
Laura: “It’s all about prioritization. You can’t put out all the fires, you have to be able to focus your efforts and your budget to what matters most. “
The disadvantages of a quantitative risk focus
Paul: “The real challenge is one of mindset and culture, struggling with folk who just don’t get it and don’t want to get it. They have 20 years’ experience in this space, and they are quite happy to continue wandering around kicking the tires for control compliance, and that’s about it.”
How to get buy-in for a FAIR quantitative program
Laura: It takes time, patience, and a lot of effort, knocking on every door in creating a risk-engaged culture, people understanding that there is no perfect protection and be OK with that, and stand behind a decision that this the most important control to prioritize and move forward.”
Is there a way to think outside the box on compliance?
Paul: “I don’t think compliance is ever going to go away, particularly on the legal and regulatory front. I never thought I’d say this, but I welcome the fact that there is compliance because if nothing else it puts some guardrails up for you. It can always get better, with more clarity but I think we are the folk that need to change. Expecting others to change isn’t going to work.”
More from the FAIR Institute’s London Summit:
Richemont’s New Approach to Cyber Risk Management: Defend the Value Chain with FAIR
