“I was the classic example of the risk expert that didn’t believe” in quantification, says Jeff Norem, Vice President and Deputy CISO at Freddie Mac, the mortgage finance institution. “I was the expert doing high/medium/low assessments all day long and pretty successful at it.”
That was 12 years ago, when he was working a security role at Target Corporation – then he was introduced to FAIR by Jay Jacobs (now at Cyentia Institute). “I kind of took the red pill and haven’t looked back.” He’s since been a FAIR advocate at MoneyGram, FICO, and other financial organizations.
Take full advantage of the FAIR Institute - become a Contributing Member.
This Meet a Member video interview with Luke Bader, Director, Membership and Programs for the FAIR Institute covers Jeff’s insights on building a FAIR program, recruiting executive support, and moving beyond the controls-compliance mindset in cybersecurity. “I think quantification is forcing us down the road of thinking exactly how am I effective or not effective and whether a control really matters,” he says.
Jeff appeared on a panel discussion at the recent 2022 FAIR Conference (FAIRCON22), and voiced some pointed comments on cyber insurance:
“In a lot of the conversation I’ve seen over the years is, there really wasn’t any rhyme or reason for how much cyber insurance we had. Someone just made a decision, likely the CISO, maybe someone in finance.”
“Now, with the FAIR standard, we can model specific scenarios and manage those risks in different ways. We can keep investing to add more controls and keep that risk down, or in some cases, move that bar up and get more transfer coverage with insurance.”
Watch the video of that FAIRCON22 discussion: Panel: Driving Culture Change - From a Compliance to a Risk-based Approach to Cybersecurity (FAIR Institute Contributing Membership required. Join now.)