Robert Herse, Information Security Manager, Quantitative Risk Management Program at Freddie Mac, the mortgage finance giant, spoke to Luke Bader, Director of Membership and Programs for the FAIR Institute on successful use of FAIR™ to change minds and open communication about risk for humans (and chickens - see below).
How did you first hear about FAIR and the FAIR Institute?
I first heard about FAIR through our CISO. I had been leading the Vulnerability Management team within Freddie Mac and we were looking for a better way to prioritize our vulnerabilities.
FAIR was brought up and the more I looked into it, the more the methodology made sense to me. Focusing on things that are material to the company, and not doing work for the sake of work, is very important to me. Putting our cyber, technology, or really any other risk in dollars is the best way to convey the importance of action.
In addition to quantification, what have been some of the most beneficial aspects of FAIR?
I would have to say the willingness to be corrected. When presented with new evidence we’re forced to change our assumptions and ranges. I think too often now people get bogged down and entrenched in their beliefs and answers. This method doesn’t punish you for having to update your assumptions and ranges.
Typically, we focus on finding a single answer to a question when the world and life doesn’t work that way. Rarely does an answer not begin with “It depends” and FAIR allows us to address the multiple caveats. By allowing for variance, we can have people be comfortable giving us answers. There is sometimes too much “don’t quote me on this” because they know things change and do not want to have an answer blow up in their face.
Freddie Mac CISO Betty Elliott spoke at FAIRCON21 in the panel discussion How Risk Management is Helping Companies Be More Resilient during Digital Transformation
What are you seeing as some other key issues facing the risk management profession where quantification can help?
Communication and reframing people’s mindset really seem to be the issues we’re running into right now. Once we get into the process and can show results, I’ve found people want to keep coming back. Getting them on board to start that process is most of that battle. Quantification of these abstract ideas seems to be the success. Being able to talk about worst case and best case in one sitting gets more and more people on board.
On a not as serious note, I have found myself sending this to my team after meeting with folks unfamiliar with FAIR.
What are you most excited about, in terms new developments or improvements in the space?
The FAIR-CAM™ model for sure. We are a controls-heavy organization and being able to map a risk back to specific controls and show how those failures can directly impact a larger risk will only help us have these conversations.
Join the FAIR Institute, network with your peers, take advantage of educational resources in security and risk. Become a member.
Have you found any novel uses for FAIR? Or what are your future plans when it comes to risk management?
On a personal level, being more okay working with ranges. I tell friends I’ll meet them in a time range instead of a time. I’ve found that personally helps us not worry about being late.
From a work level, I have a desire to leverage graph databases to visualize the connection of our risk scenarios/assessments to controls within our GRC tool. In my perfect world any review or audit of a control would initiate a review of the scenario. We could then quickly show how a control failure or improvement has changed the risk.
When you aren’t busy working, what do you like to do for fun?
I am in northern Colorado so obviously going out hiking with my dogs and ending up at one of the many breweries. I do also have a large friend group on Discord where we’ll play some games together and occasionally will dust off my boots (cleats) to play some rugby.
Meet More FAIR Institute Members from Finance