Andrew Retrum is Managing Director, Global Financial Services Security & Privacy, at Protiviti and an Advisory Board Member for the FAIR Institute. He started his career at one of the big accounting firms before becoming one of the founders of Protiviti, Inc., now a global consultancy (and the founding Advisory Partner of the Institute).
In this 10-minute conversation with Luke Bader, the FAIR Institute’s Director of Memberships and Programs, Andy covers some of the top-of-mind concerns for FAIR practitioners, including tips on communicating risk to the board:
“The first thing is consistency. By sharing your thoughts on security in a consistent manner, you’re focusing less on the format of the presentation and more on the risk itself. The rigor with which the FAIR ontology allows you to approach a problem is very clear and understandable. Once the audience understands that, it becomes more thoughtful conversation about the risk itself.”
Protiviti increasingly finds that clients have moved beyond the educational phase on cyber risk quantification and are now looking to consultants to design and build FAIR programs and even extend FAIR practices beyond core cybersecurity applications.
“A number of our clients are looking to adopt it broadly for all their IT risks and even tie it into credit risk and other business risks as well. The concepts are very flexible...We have some clients that are looking at resiliency, and leveraging the FAIR methodology to help quantify what the impact is if a specific business product or service goes down.”
Learn more about Protiviti’s field work with FAIR, and its new CISO Next networking/collaboration initiative in this video: