Bob Dooling, Director, Security Risk, for Redox, a provider of secure exchange of healthcare data, took a path to FAIR™ quantitative risk analysis starting from the frontlines of cybersecurity as a penetration tester, then made the move to cyber risk management. At each career stop, he felt something was missing: in pen testing, it was identifying the same issues year after year without clients moving forward, in risk management, it was qualitative risk assessment practices that didn’t answer real business problems.
In my talk with Bob, we cover topics that will interest both the FAIR-curious and experienced managers of quantitative risk programs.
Watch the Meet a Member video:
>>Thought leaders he followed that developed his thinking, from Douglas Hubbard to Richard Bejtlich to Bruce Schneier and of course, FAIR creator Jack Jones.
>>Core benefits of FAIR: The foundational terminology – “Unfortunately, in the security risk professions, sloppy use of foundational terminology is rampant.” And the ontology, especially the FAIR-on-a-Page diagram: “Having people recognize and think through the components that feed into risk can be eye-opening.”
>>Running two major efforts with FAIR at Redox: prioritizing vulnerability management and re-aligning third-party risk assessments.
>>Taking FAIR home to daily life: Bob describes how FAIR helped his family think about risk tolerance for COVID-19, inspired by the example of decision-making on buying a new bicycle for a child in Jack Jones’ introduction to the FAIR Controls Analytics Model™ (FAIR-CAM™) (see page 9).
In 2022, “what I’m most excited about is FAIR-CAM. I think it has the potential to address an absolutely huge shortcoming in most organizations…Now we have a way to identify which controls will have the best return.”