The North Carolina chapter of the FAIR Institute launches with a meeting on Thursday, February 22, in Charlotte, co-chaired by La’Treall Maddox of Cisco Systems, Inc., along with David Sheronas from Bank of America. La’Treall is Strategy Risk Manager for Cisco’s Security & Trust Organization (S&TO), and the leading FAIR evangelist at the company, which is making a major push on risk quantification; more than 80 S&TO cyber security SMEs have been trained on FAIR through the RiskLens program, and the company developed its own internal application to run on the FAIR model.
“FAIR has completely changed the strategy and landscape for what we’re doing as an organization,” says La’Treall, “and ultimately will be used to inform what’s facing our Chief Security & Trust Officer, our CISO and the Board of Directors.”
Q: Congratulations on the FAIR Chapter launch! What’s on the program for the first meeting?
A: Jack Jones will be with us to give a light touch on what FAIR is for the newbies, and then for the professionals already incorporating FAIR into their work, a deeper dive into where FAIR is going and how its application can be implemented in a more robust environment and perhaps looking at aggregated models for capturing and expressing risk in financial terms.
Q: How did you first discover FAIR?
A: This goes back about 18 months. I’d been told that expressing cybersecurity risk in financial terms wasn’t doable for a variety of reasons. We work with constituents at Cisco that are exceptionally experienced in the cybersecurity realm and that level of exceptionalism, leans towards: “We’re unique, we’re so markedly different that uncertainty can’t be defined in this space. And that’s actually normal when it comes to labeling and quantifying uncertainty in complicated, highly specialized disciplines. I didn’t really understand why, when we had so much data available to us.
My background is in strategy and finance and the intersection of the two of those things comes together in any industry. So, bringing it together in the cybersecurity landscape made sense to me. And speaking in financial terms is how the rest of the business communicates.
So, I started to research and that got me lined up with Douglas Hubbard. I read his book (How to Measure Anything in Cybersecurity Risk) and I thought this is golden, it makes sense to me and I’m not a statistician. And his book references FAIR and spring-boarding from there to investigating the decomposition of risk -- which is so great because FAIR allows its practitioners to have a common language and a common framework to decompose risk in a way that’s systematic, repeatable, scalable, and mathematically defensible.
Q: Why were you able to successfully introduce FAIR at Cisco?
A: The defensibility of the ontology and financial modeling is critical. Being able to explain the math to engineers responsible for security is critical. Because if its’s just ‘this is my estimation’ or ‘this is how I ran the numbers’, if it’s not statistically provable it falls apart, and it’s ‘oh, that’s just your estimate and then it’s ‘wrong’ if it doesn’t happen.
Also, you’re enabling your subject matter experts to move from a place of just taking their gut instinct and experience which is valuable but consider that instinct and that experience in a tool where you have multiple sets of experience and gut instinct from a variety of subject matter experts that’s incorporated into a mathematically and statistically defensible model that’s repeatable and scalable attaching that ultimately to a framework for data.
As a security professional, typically what you come to the table with is ‘bad things are going to happen if you don’t invest’. How much more palatable and powerful is saying to that investor ‘I may be operations but I’m mitigating the probability of this much risk exposure over X period for the entire company.’ And it’s not just in a red/yellow/green or a CVSS score--that doesn’t translate well to the CFO or the board of directors or to the Street.
Q: How is Cisco using FAIR now?
We are looking at return on risk mitigation type work, instead of simply talking about which prioritization of a particular control that you’d like to implement into a network or a space from a technology perspective. The only financial construct around these conversations in the past is how much it cost and maybe it will move us from being red to being yellow.
Also, we’re looking at where we are going as a company and how we are prioritizing getting all our risks mitigated or in some instances helping our clients become more mature in their risk posture as well.
Right now, we are looking at individual use cases. But the goal is incorporating the capacity to do this at an aggregated level where there are multiple factors, multiple weights on the attributes of a group of assets and then to run scenarios for hundreds and thousands of assets with a variety of different attributes turned off or on or checked one way or the other. That’s where we’re going – aggregated models by asset group that would align with our data so the data is doing the heavy lifting. The goal not to have a bunch of risk analysts running a bunch of use cases; then you never really understand what your total risk posture is. We’re still at the beginning of all this.
Q: Have you met any resistance to moving to quantification?
The unique thing about the Security & Trust Organization at Cisco is that InfoSec is a part of our organization. The Chief Security and Trust Officer drives strategy across the entire Cisco portfolio and the industry so it’s not just about keeping Cisco secure. It’s about our customers security as well. It’s also about influencing where the industry is going as early adopters in this space.
Our Chief Security & Trust officer is very much on board with this work effort. Quantification of cybersecurity risk in financial terms was not originally slated as a core component of our strategy for this fiscal year and yet even in its infancy the reaction has been ‘Yes, I want more of that. How fast can we go?’
Q: How about off the job – any recent accomplishments?
A: I’m a guide dog puppy raiser. I just finished raising my first black Labrador. Only 40% of the dogs actually make the cut and get placed into full time service. I did the math on what’s possible vs what’s probable and thought she’d never make it. Sure enough, she was placed with a gentleman in his early 30s who does social work and lost his sight in college. When you’re training, you take the dog everywhere with you -- she’s probably the only dog who’s gone through FAIR certification training!
Q: Any advice for young people starting out in cyber or information risk?
A: #1 I would encourage them to stay curious.
#2 I’d say don’t believe, if cybersecurity is not your core area of subject matter expertise, that you don’t have the capacity to help other people think critically about the work we are doing.
Lastly, I would say don’t be intimidated by acronyms because no one speaks in whole words around here.