FAIR Institute Board Member Evan Wheeler is a veteran financial industry risk executive, author, and frequent conference speaker and panelist, particularly on the topic of risk quantification. He’s also one of the most patient and lucid explainers of the FAIR model we’ve ever heard – take a listen to the video of his presentation at the RSA Conference in February, 2017, or read his posts for the FAIR Institute blog.
Evan also leads the Institute’s Operational Risk Workgroup, where lately members have been tearing apart the list of supposed Top 10 Cyber Risks as a group project.
You do a lot of public speaking on FAIR. How would you characterize your public role?
Evangelist, that’s probably how I’d describe myself. I like to think of myself as somewhat framework agnostic but I’ve been researching this for years and have never found anything as viable as FAIR for the analytical and measurement pieces.
How did you get started with FAIR?
I met [FAIR Board Member] Alex Hutton at an RSA Conference and I was just fascinated by some of the things he was working on with Jack Jones.
It was one of those things like learning that Santa Claus doesn’t exist for the first time. It just blows away your mental model of how you think everything worked before.
I think I originally reached out to Jack because I was teaching a university course at the time and I wanted to use some of the materials. He was generous enough to spend time with me talking through it and helping me figure out what to highlight.
You’ve now introduced FAIR to a number of organizations you’ve worked at. How did you learn the human side of it, to persuade people to take on this new form of thinking?
I like to think that I take an opportunistic approach. If you know how to look for them, there are always opportunities where a current model is failing and people are not getting what they need out of it.
I think if you hit them with the full breadth and scope of what it can be all at once, people tend to get really overwhelmed. So I’ve just developed my own kind of FAIR Light over the years of how I introduce it to people, concept by concept, slowly.
But there are really bright people with lot of experience in the field who are very adamantly convinced that cyber is not quantifiable and that the status of the industry today is as good as it gets. And it shocks me.
How do you explain the resistance to information risk quantification?
I’ve spent the last few years of my career focused on integrating IT, technology, cyber risk with operational risk and I’ve had a few roles where I’ve gotten to be on the operational risk side. So I see the alignment between those two. But in a lot of organizations, technology or IT risk are still kept very separate from operational risk.
There are some operational risk models that you just can’t apply directly to technology or you get absurd results, without people who are knowledgeable about both sides of it.
You had operational risk people who only knew their domain try to apply their models directly to technology risk, and vice versa, the technology people did not really understand the models they were being given.
The results were obviously so terrible that people just threw up their hands and walked away from it, saying well this just isn’t possible, we need to keep these two separate, they’re different animals.
Would you say people who come from the operational risk side are more open to FAIR than people who come to it from the cyber side?
I think so. I think it appeals to them. If you talk to someone in operational risk, for example they’re very focused on loss events. That terminology is used in FAIR but rarely used in technology risk.
A lot of times, when the cybersecurity side doesn’t get the prioritization that it wants, it’s because they can’t normalize the risk they’re looking at versus all the other enterprise risks--it can’t be put side by side with other risks that organizations must prioritize. I think we are doing ourselves a disservice staying so isolated and not adopting some of those practices.
How readily can FAIR be adapted to the operational risk side?
Very readily. A lot of organizations are using it for both. The operational risk management work group at the FAIR Institute is thriving. We have a really good representation of organizations across a wide variety of sectors. We discuss everything from compliance to true operational errors to things that touch on technology or third party or resiliency. I think it’s a really easy fit.
On the cyber side, do you see the increased volume of threats pushing the profession more towards a risk-based approach and away from the controls focused approach?
I think it should be but don’t know that everyone is making the connection yet.
A good example is, ‘threat intelligence’ has become one of the recent buzzwords but very few organizations are connecting their threat assessments with their risk assessments, for instance, to see how a shift in the threat level could impact conclusions they previously made that some level of risk is acceptable or not.
They should be leveraging FAIR to pull those together and put everything in context.
Besides your day job and your speaking engagements, what else keeps you busy?
Right now, I’m teaching for the UCLA Extension school a cyber risk and privacy class for enterprise risk professionals. That’s been really fascinating because it’s an opportunity to teach this subject to people who don’t have an IT background. I feel like it’s the best way for me to keep on top of things because they ask hard questions, and it really makes me think about my assumptions.
What advice would you give to people starting out in the risk analysis and management field?
Recognize that it really is a specialization. You need to get trained and do your research. It’s not just about intuitive, making it up as you go. I think a lot of people approach it that way.
It’s not just having experience being a firewall admin or a forensic investigator. That is important knowledge but don’t necessarily mean you’re going to be good in risk analysis. It’s not for everybody and that’s a hard message.
More than anything, the base skills you need are critical analysis skills and active listening. Some of those quote-unquote soft skills are the things people don’t spend as much time on as they should.
Meet more FAIR Institute members: