Chris Porter first learned about FAIR years ago working in cybersecurity at Verizon, where he led the respected DBIR report, developed the Vocabulary for Event Recording and Incident Sharing (VERIS) system for classifying security events, and later built the company’s threat intel team.
Chris came to Fannie Mae — the federal enterprise that funds mortgage lending — in 2015 after 10 years at Verizon and is now Senior Vice President and CISO. An early advocate for FAIR in the industry, Chris has been on the board of the Institute since its founding and speaks frequently at the FAIR Conferences and other Institute events.
In this podcast conversation with Luke Bader, Director, Memberships and Programs, Chris covers four ways that FAIR has brought value to Fannie Mae, dealing with the talent shortage in cybersecurity, and what’s coming up at the 2019 FAIRCON.
“By leveraging FAIR and really understanding the loss components of FAIR,” Chris says, “you have to go out and talk to the business, and find out, hey, how do you really make money? If you lost a certain amount of time in a day, how much business would you lose?
“That sort of conversation is really helpful, especially if you are a CISO because by learning about the business, you are learning about how the company operates.”
Listen to the podcast below — and also see a video of Chris giving tips on introducing FAIR to your organization, from a talk he gave at the FAIR Institute Breakfast during the 2019 RSA Conference.
Q: I wanted to start off by asking you how you first heard about FAIR and then when did you start to begin using FAIR?
A: Certainly, so I first learned about FAIR probably eight to 10 years ago. I was at Verizon working on the Data Breach Report and one of my co-workers was the great Alex Hutton, one of the biggest FAIR evangelists out there.
Alex had just joined our team and at that time, Jack Jones and Alex had been working together on what was the precursor to what has become RiskLens today. I had been reading a lot of the blogs that he was writing with Jack at that time. Alex brought this mentality in to us as we were writing the data breach report around, How can we use the data from the Data Breach Report to actually quantify risk?
That’s when I first learned about it and I kind of fell in love with the model to some extent.
Q: So having fallen in love with it, how has FAIR provided value to your organization since you started to use it?
A: When I left Verizon about four years ago, one of the things I wanted to do was bring FAIR into my company, Fannie Mae, as a means to understand cyber risk better and differently.
So, I think there are several benefits. One is, it helps you understand your business better. How does your company make money? How does the company operate in general?
By leveraging FAIR and really understanding the loss components of FAIR, you have to go out and talk to the business, and find out, hey, how do you really make money? If you lost a certain amount of time in a day, how much business would you lose?
That sort of conversation is really helpful, especially if you are a CISO because by learning about the business, you are learning about how the company operates.
We’ve been able to leverage it to get out of different contracts that we found increased our losses too much if there was the event of a data breach.
And we are also using it for prioritization efforts. Some of it has to do with projects. If I’m looking at different security projects for my portfolio, which ones are the ones I need to focus on to help me reduce the most risk across the organization?
And then there’s more tactical things that we can leverage. And this is where I’ve used it as a tool. Because when you have quantified data about what would happen if something bad were to happen, it’s a really powerful tool in your tool belt.
Imagine if you’re talking to an organization and they want to risk accept mitigating a critical vulnerability in an application. You could have that conversation with them, and say hey, I’m OK with risk accepting, but here’s the deal: I need you to sign up for risk accepting these potential losses of say, $15 to $20 million. When you bring that kind of data and that kind of information to them, people don’t want to sign up for that kind of risk acceptance, they want to go actually remediate the issue and take care of it. That sort of powerful tool of data is incredibly helpful across the organization
Q: So, within the FAIR Institute, you’ve been a rather involved member over the past couple of years. You want to talk a little bit about your involvement with the FAIR Institute, and how you’ve seen it grow in the past three years and where you see it going?
A: Absolutely. I am part of the advisory board for the FAIR Institute. We have several different jobs as a part of that. Some of it is education and evangelizing FAIR itself in the industry so people are aware that it exists.
Some of it is going out to do FAIR breakfasts at various events, like at the RSA Conference to talk and share our experience. I think that kind of networking capability that you can share the good experience that you’ve had with something and other people can take those learnings back with them and apply them at their organization is incredibly helpful.
Sometimes, it’s talking to the press to talk about how this is a method for managing and monitoring and measuring cyber risk.
And one of the other aspects is just helping shape the energy around growing the membership. Like what are the best ways to do that, like treating FAIRCON as a means to get more people involved with that event to make sure the speakers that are there are talking about the right things.
Some of it’s around making sure the Institute itself has enough good educational training mechanisms because, if you want to grow the membership, people have to have a way of learning about it, and learning about FAIR, so making sure that the right kind of content is available, like these kinds of podcasts as well.
Q: You mentioned FAIRCON - you’re going to be there again this year, you’ve been a speaker at past conferences and we’re, again, for those of you that don’t know, our fourth annual conference, September 24th and 25th at the Gaylord National Harbor which is just south of Washington, DC. So we really are looking forward to our biggest and best conference yet. Chris will be part of one of the panels there so thank you for that and really looking forward to a multi-day event.
A: Yeah, and it’s an incredible venue as well. It’s right there on the Potomac, you can look out across the bridge, you can see Alexandria on the other side, I think you can actually see parts of Mt. Vernon from down there as well.
Q: I believe you can as well. We have a great spot this year and a great lineup of speakers and it’s going to be fantastic. A couple last questions for you: Just wanted to ask what are some key issues that you see facing the larger risk management and info security profession?
A: When you talk to any sort of executive in cybersecurity and risk management these days, I think one of the big things they continuously talk about is the talent shortage that is there, the supply-demand issue. The demand for jobs is far exceeding the supply of people to do this work. I saw something recently that said that there is going to be 3.5 million unfilled cybersecurity jobs globally by 2021- that’s up from one million positions in 2014. A subset of those jobs is going to be risk management jobs, and risk quantification as well.
So that’s only one of our biggest challenges, is making sure that the folks out there are educated, make sure there’s a career path for people to get into this field. I think, and this is something that I say to students all the time, is learning about risk management and certainly learning about FAIR gives you this framework where you can immediately talk about risk in an organization and it makes you valuable just by having this frame of reference, the way you think about risk, the way you think about losses like the primary losses and the secondary losses, you think about threat frequency. Having that sort of mental map to talk about risk, makes you very valuable.
I think the FAIR Institute and all of us that are involved with this, increasing that education is incredibly important so that we can take people from other fields and educate them so that they can come into this really fast-paced, growing industry.
Q: Absolutely. We at the Institute are partly teaching FAIR with our FAIR university curriculum at about 18 universities that we know of now. We provide a syllabus to professors and different educational resources for them so that professors in academia can teach students and that we can develop this next generation of cybersecurity business leaders so that they’re able to speak in both worlds. That’s really awesome to hear. As we continue to grow and spread and continue to educate, I think it’s really going to benefit the industry.
So, wrapping up Chris, anything else we need to know - any fun project you’re working on that you can share?
A: Probably the two projects that I’m working on, both are on the personal side. One, potty training my youngest son. That is a monster project that my wife and I are both undertaking.
Q: A lot of risk involved there, I’m sure.
A: A lot of risk, absolutely. A lot of defense in depth as well. But the other one on the personal side, where personal and professional intermix is that I was asked by my alma mater, the University of Virginia, to teach part of a cybersecurity certificate program that they are starting. They asked me to develop materials and teach cyber risk, and FAIR is one of the main sort of backbones of how I am teaching the course because I think it’s that important for folks coming in to this field to have that frame of reference.
Q: Definitely. Well, congratulations on that. Those students are very lucky
A: I hope so.
Q: Well, thank you, Chris, so much for your time today, and for everybody listening. As always, feel free to reach out and stay connected with us, follow us on Twitter and LinkedIn. I hope to see you all at future events, specifically, FAIRCON coming up this fall. So, thanks again.
A: You’re welcome. Great being here.