New England FAIR Chapter Co-Chair, and Vice President for Enterprise Cybersecurity at Fidelity Investments, the giant ($7.4 trillion in customer assets) mutual fund company, Jim Robert has been a FAIR practitioner for three years.
Like so many members, “we were struggling with 'How do we really talk about cyber risk in a more meaningful way?'," until his team came across FAIR, Jim says. “One thing we got right out of the gate was a truly new paradigm about how we think about risk.”
In this short (8-minute) talk with FAIR Institute Director of Memberships and Programs, Luke Bader, Jim covers:
- Two tips for starting a FAIR program
- The one book to read – besides the FAIR book, Managing and Measuring Information Risk by Jack Jones and Jack Freund.
- Fidelity’s version of “FAIR lite”
- Jim’s “a-ha” FAIR moment.
Listen to the podcast now. Read the transcript below.
Meet more FAIR Institute members from ADP, Cisco, McAfee...
Luke Bader: Jim, how did you first hear about and then begin using FAIR?
Jim Robert: My risk manager Ed Lee started doing a search three or three and half years ago because we were struggling with how do we really talk about cyber risk in a more meaningful way. We were using the traditional, 'We think it’s high, medium or low risk.'
He found and stumbled on to FAIR and the FAIR Institute, bought Jack Jones book and we’ve been hooked ever since.
Luke: That’s great. How has FAIR provided value to your organization? And can you give our listeners a timeline?
Jim: Starting three years ago, we adopted FAIR and we did a little bit of a variation of it and adopted what we call FAIR lite, to keep it lightweight and leverage it to start informing us around FAIR’s output and values which are great for risk.
One thing we got right out of the gate was a truly new paradigm about how we think about risk -- thinking about the inputs to the FAIR model and everything that goes into it which drives the result.
I think the big ‘a-ha’ for me was, if there’s not a loss event and you can’t articulate it, it really becomes problematic. It really led us to a totally different way of thinking about cyber risk and forcing a little bit more discipline around the FAIR framework and what it prescribes in order to start classifying and categorizing risk.
Luke: Thank you for that. What would you say are one or two pieces of advice to start building a FAIR program?
Jim: I’d probably say two things.
One of our team members discovered Doug Hubbard’s book around calibration. I would highly recommend, in addition to reading the FAIR book by Jack, to read that book on calibration. It really helps on the front side of doing a risk analysis and an assessment using FAIR to think about numbers and the inputs that you are leveraging. Otherwise you could have very skewed results and imprecise results.
The second thing would be: Start small. Don’t think you are going to solve your company’s problems with it. Start small and become comfortable with what you learn from it. Be OK that it won’t be perfect and just recognize that you are continuously learning about how to think about the data that goes into the FAIR model and how it informs risk.
Luke: Thank you, and I want to re-emphasize your point. I’ve heard from other members in this series who we are interviewing: Start out with those small, quick wins.
Larger question here for you. What do you see as some of the key issues facing the risk management and infosecurity profession today?
Jim: One of the things I’ve grappled with is: What does it mean? If I declare a risk level and I use my old methodology and I say that type of risk is ‘high’, the questions I always get asked are ‘What does it mean?, ‘What should I do about it?’ and ‘How bad really is it?’
We were unable to answer that in a way that was meaningful for senior leadership to really understand. I can now talk in dollars and cents. And expressing risk in dollars terms is more meaningful for everyone. Everyone understands the value of a dollar.
Then that translates and turns into discussions around what’s our appetite, how much of a dollar loss are we willing to accept before we invest in mitigating or reducing that risk to a level that we are comfortable with. And that’s a totally different way to talk about cyber risk. It has been for me now, 'What do we really think about a million dollar problem -- is that acceptable or not, vs. are you OK historically with a high risk or a moderate risk.'
Luke: I’ve seen you in the past at our FAIRCONs but you’re also getting more involved at the local level. I’d love to share with our listeners your involvement with the local New England Chapter.
Jim: Sure. I’ve been a FAIR Institute member for probably a year and a half and what intrigued me with the local chapters was there’s a whole community out there. Some of them are more advanced and we can learn from them, others are just starting out on their FAIR campaign and I look at that as a real opportunity to cross-share and collaborate across all those organizations what are the best practices around adopting FAIR, implementing FAIR, what works, what doesn’t, and just learn from others in that community fashion.
I’m pretty excited now to begin to co-chair our local chapter in New England, and I’m really excited for our next couple meetings to get together with folks and share our own best practices and learn from others what they’re doing. It makes it a lot easier when don’t have to keep recreating that wheel.
Luke: I totally agree. Jim, you’re going to be hosting the next New England Chapter meeting in June?
Jim: Yes, sir, we are.
Luke: So, look out for some email correspondence about that, probably starting about a month out in May. That will be a really great event.
Jim, thank you so much for your time today, your valuable input. We really appreciate it.
Jim: Great. Thanks very much, Luke.
The SC Media Awards of 2019 honored the FAIR Institute as one of the Most Influential Industry Organizations of the Last 30 Years.