Tony Martin-Vegue leads the San Francisco Bay Area chapter of the FAIR Institute, 30 members strong. Tony spoke at the first FAIR Conference in 2016, presenting a case study on measuring DDoS risk using FAIR. In his day job, he’s Manager, Information Security Risk at Lending Club, the online credit marketplace that matches investors with borrowers, bypassing traditional bank lending and passing on the savings to borrowers in lower rates. Lending Club has funded some $25 billion in loans.
1. Tell us about your job at Lending Club.
I head the department that performs information security risk assessments. We identify assets that need protection, perform threat modeling, assess vulnerabilities, determine impact and perform risk assessments. Usually our most important asset is customer information -- we are bound by the Gramm-Leach-Bliley Act that sets federal regulations around how we protect customer data. One of primary missions at Lending Club is to increase customer trust and protect customer data.
2. How are you using the FAIR model currently?
I’m using FAIR to perform risk assessments both large and small. An example of a small risk assessment would be: if we have a server can’t be patched for the heartbleed bug, then we assess the risk in that situation. I can do a FAIR based risks assessment on one particular problem and also large assessments on the total risk cyber criminals pose to the company, as one example.
FAIR teaches you mentally how to decompose the problem. If you’re looking at the risk of cyber criminals to the company, the typical reaction is ‘Wow, I don’t where to start’ But FAIR teaches you to decompose so you start small and start building out all the components that make up the risk.
3. How did you get interested in FAIR?
I first became interested and introduced to FAIR back in 2012. I used to work at a bank and it was really born out of a frustration with qualitative methods--and back in 2012 that’s all I knew. I knew the simple annualized loss expectancy calculation from the CISSP but I’d never seen that in action.
The problem I was trying to solve is the inability to aggregate risk or view risk as a portfolio. Management wanted to see total risk. Qualitative methods don’t support a total risk view, and those that try it, end up with some serious math errors.
I started looking at quantitative methods. I started Googling everything: Octave, COSO, NIST. I finally landed on FAIR.
I came across an early white paper from Jack Jones and got totally hooked. It solved my aggregation of risk problem and solved another problem: We couldn’t verify analyst assumptions on risk. I would come up with a ‘high’ risk on something and the guy sitting next to me would come up with ‘medium’ or ‘low’.
FAIR is more than a taxonomy - it’s a way of thinking about risks that provides similar results among different analysts. The consistency of results gives managers a tool to verify assumptions and trust the outcome.
4. What do you see as the key issues for the profession?
As an industry, we are too interested in the next shiny thing, the newest hyped security product you see at the RSA Conference halls. In pursuit of the shiny thing we are letting security vendors steer our industry and our companies. We’re not using evidence based, data driven research to drive decisions.
A quick example: I was researching insider threats. I started looking for research and white papers around the number of security breaches caused by insiders. I found seven different research papers with seven ranges, from 74% to 14%. And all of the research was sponsored by security vendors. One quick data-driven FAIR analysis could settle this entire argument but we‘re not doing that. We are letting vendors decide for us.
5. What advice would you give to young people starting out as FAIR analysts?
My advice is counterintuitive because financial institutions are usually behind the curve in technology but actually are ahead of the curve in risk management techniques and adoption.
I would focus on financial services firms and try to learn as much as I can about that industry: banking, lending, insurance, how all of that works and how current risk assessment techniques are used. You’ll find that FAIR is extremely compatible with what financial companies are already doing.
My second piece of advice is: Don’t get locked into information security risk as far as what you are learning. A lot of problems have been solved already in the operational risk and financial risk sectors.
6. What do you do for fun?
I love risk and I spend much of my free time researching and learning new techniques. I also like open water swimming – I live in the San Francisco Bay Area and I’ve swam from Alcatraz to San Francisco nine times now. I’ve also performed several FAIR analyses on that activity! It’s an interesting exercise, and surprisingly, the Loss Event Frequency is fairly low. There aren’t as many sharks in the Bay as there used to be.