When Tim Titcomb was first introduced to FAIR by co-workers at Fidelity, "we walked out of the room and sort of shrugged and we did not have the red pill/blue pill moment. But I'd been looking for an opportunity to re-engergize the risk team I had just taken over, give us some direction and really start to do more proactive risk assessment...Then I picked up the (FAIR) book Measuring and Managing Information Risk, and that's where it really clicked for me.
"I think the biggest thing that hit me as I read the book was the power of the quantitative analysis, certainly in and of itself but also the ability to take those results, give the business and my technology partners information that they can act on, in dollar amounts of risk that they can look at and say, if I make this development investment, it will offset this amount of risk, and really start to enable that conversation in a different way."
Tim went on to be a FAIR evangelist at Fidelity, a speaker at FAIRCON18, and a leader in the North Carolina chapter of the FAIR Institute. He recently talked with FAIR Institute Director, Memberships and Programs, Luke Bader for our Meet a Member podcast series. Listen to this 14-minute recording and learn how Tim:
- Introduced FAIR as a standard framework and vocabulary for risk and cybersecurity teams at Fidelity
- Compares risk across many different applications and products, based on FAIR analysis
- Explains FAIR analysis results to stakeholders
- Is working to build partnership between the risk and cybersecurity teams
Listen to the podcast now:
Q: How did you first hear about and then begin using FAIR?
A: So, it’s funny. We actually met a couple of our colleagues, one of whom you know already, Jim Robert, one of his co-workers, Ed Lee, on our team on our Enterprise Cybersecurity organization, they had started using FAIR and they had heard about it and I was new in my risk role, and we met with them and Ed sat down and walked us through their process, for using what they called FAIR Light. It had the foundation of FAIR, but they used it a little bit differently – they did the quantitative assessment piece a little bit differently, getting to a high-medium-low, so it was a hybrid, if you will.
And we met with Ed and to be honest, we walked out of the room and sort of shrugged, and we did not have the red pill/blue pill moment. But I’d been looking for an opportunity to re-energize the risk team I had just taken over, give us some direction and really start to do more proactive risk assessment work.
So, having spoken with Ed, I then picked up the book, and we read Measuring and Managing Information Risk, and that’s where it really clicked for me.
I was able to look at that, understand and there was something about reading it, and seeing it and it all started to make sense – this is the way we can do this, this is how we can merge frequency and magnitude, and really start to get those deliverable results.
I think the biggest thing that hit me as I read the book was the power of the quantitative analysis, certainly in and of itself but also the ability to take those results, give the business and my technology partners information that they can act on, in dollar amounts of risk that they can look at and say, if I make this development investment, it will offset this amount of risk, and really start to enable that conversation in a different way.
So, it was a combination of meeting with our colleagues and then going through and looking at the book, and then from there it’s just been taking off and getting a lot of traction and getting really excited about how we can use FAIR here at Fidelity.
Q: That’s great to hear. Thank you. You just mentioned that one way FAIR helps in your organization is being able to communicate back to business leaders. Can you elaborate on that or how else FAIR has provided value to your organization.
A: That’s certainly one way, the communication and getting that in the dollar terms and making it translatable to the business team in ways they understand, frankly, in terms they understand.
Beyond that, some of the other benefits, we’ve had a lot of great success getting to a standard framework. What we saw, whether it was our cybersecurity team or our own teams or the other risk teams – we have multiple business units across Fidelity that we all support – so, what does risk mean? It means different things in different contexts, the terms are used differently, having FAIR as the framework to be able to talk about risk, and then beyond that, we’ve taken a step to start to build a structured risk assessment program that looks at metrics as they come in, how do they map to the FAIR factors like Threat Event Frequency, how do they map to the scenarios we’ve built out, whether it’s a privileged insider taking adverse action or a hacker breaking into your systems, it gives us that framework to do some repeatable risk assessments, to have everybody talking about the terms ‘vulnerability’ in the same manner.
And because we start to structure the program in that way and leverage FAIR as the foundation for it, we can start to do some repeatable risk assessments and start to see the comparisons.
So the other big value for us has been to be able to look at things like our IT applications and our IT products and say, based on these scenarios, and based on our risk assessment process and how we’ve mapped these metrics back to FAIR and how we weight them, what is the difference from a product to product or application in terms of risk. And we can see that. We quantify it, we have common loss tables that we use and can configure along the way, if there’s 10,000 users or clients, that’s different than a system that might support 100,000 users, how do we weight that differently? But because we have the structured program, we can now see the inherent risk or reward or the quantified risk across the different applications or products, and that helps facilitate decisions even further.
You now know if there’s a patch that needs to be applied somewhere, certainly we want to apply that everywhere and we will, but we can prioritize, based on the risk calculations and the quantitative assessment we’ve done.
So that’s a value that we’re really excited about. We’re just starting to get through our product suite and our applications suite. As we move forward with that, I really see there’s a huge benefit there.
Not only for that purpose but going forward starting to monitor the metrics and look for changes and see where thresholds are exceeded and that might raise the risk and cause you to go back and reassess.
So, there’s a lot things we are looking into doing with FAIR and we are real excited about the next six to 12 months and how we can move it forward in Fidelity.
Q: That’s exciting. Those comparisons are so important. We hear that from a lot of members and FAIR users, as well. It sounds like I’m going to have to get you back here In another six to 12 months for an update podcast.
A: That would be fantastic.
Q: Cool. Tim, we’ve worked together in the past with the FAIR Institute and you’ve been involved in conferences – you were a panelist at FAIRCON 18 at Carnegie Mellon but I’d love to hear more about your involvement in the Institute and how you think the Institute is helping spread the message.
A: We’ve been really active in the local chapter, based in the Research Triangle area, Raleigh-Durham, North Carolina. We’ve partnered with our Charlotte friends, Bank of America and some of our other partners out there. The North Carolina chapter, every quarter we switch between Charlotte and Raleigh, and have a meeting. That’s been great both to share ideas, hear from our colleagues and partners in FAIR.
It’s also been great to see the new people showing up. We’ve had a lot of those meetings, and you can see the other companies that show up and start to participate. So, there’s always a handful of fresh faces that are interested, just from a learning perspective or are really starting to roll that out in their organization. Hearing their questions, hearing some of the things they are dealing with or some of the ways they are using FAIR, is always a value.
So, really active in the North Carolina chapter. Same for Boston, I have a team in Boston as well, and we make sure we attend the FAIR chapter meeting up there, so those have been great.
The other thing we’ve done down here, we’ve actually started to do some meet-ups. One of the things we’re finding is, the quarterly cadence was great but there’s always questions in between and sometimes the quarterly meetings don’t down into the details of, how much do you execute this or specific questions like how do you guys look at threat capability or privileged insiders.
So, we have started up a little bit of a meet up, to have a forum for those types of questions that might be a little bit more technical and more of a practitioners question than what you might get at the quarterly FAIR chapter meetings.
And, as we evolve, the chapter meetings will probably start to get a little more technical. Now, there’s still a lot of new people, so it is a little bit more introductory content. But having both those opportunities for folks to ask those detailed questions has been great as well.
Q: That’s awesome. We are really seeing, and the theme of the Institute in our third year is, how do we properly educate the people who know FAIR, use FAIR, and want to keep growing their knowledge but we’re always going to have those new faces and first timers. So, it’s really important the work you are doing to make sure both tracks are always learning and they come back.
A: Yeah, it’s been really great to have the new folks come in because you always learn from them, too. They’re coming in fresh and they might just know a little bit. Their organizations are different, too, so they might face different challenges that you might not have thought about. So, it’s been great.
Q: Wrapping up, what do you see as some key issues facing the larger risk management/information security profession today?
A: I think specific to FAIR, and I’ve run into a little bit of this as we’ve gone across the organization, but really making sure that folks really have an understanding about a lot of the assumptions that you’ve made in the different scenarios and recognizing that FAIR’s a model that gives you an exposure and it express that in dollars. Because we’re found that some of our assessments have come out with pretty high exposure values, annualized loss expectancy of 10 and 20 million dollars, and without the proper context, you throw that in front of somebody and they are immediately thinking, are you really saying we’re going to lose 20 million dollars next year?
So those are some conversations we have and I think it’s really important that, as you go into discussions with, whether it’s executive management or an application or product owner, certainly in the scenarios in working through the risk assessments, you do that, and it’s important to understand that you’re not making a prediction, you’re assessing exposure. So that was one of the challenges we’ve run into.
Then I think, beyond that, really looking at, specific with risk management and information security, how can you start to merge those organizations? I had a great conversation with one of the senior executives in our cybersecurity organization, we were specifically talking about disaster recovery, he came to me and said, look, I really need you guys to help me from a risk perspective to figure out what I need to look at, what’s the high priority from the business unit’s perspective, from a risk perspective, so as I look to do more with disaster recovery whether that’s more robust testing, require teams to fail over to the secondary servers, whatever their activities are, that they will want to do in a disaster recovery space, how do they prioritize those efforts, what are the different forms of requirements they need to impose on the system owners and the application owners, and how do they layer on the risk aspect of that.
So looking for those opportunities, and really starting to build that partnership between the risk group and the cybersecurity group. In a place like Fidelity, they are separate groups. In other places they might be under one umbrella. That’s really critical. If you can marry up your risk and cybersecurity and start to match the tools and the defenses and everything you do on the cybersecurity side, with the knowledge of what has high exposure from a risk perspective, you’re really doing a great job and a great service to your organization
Q: this bring us to the end – anything else we should know about you? Fun projects coming up, business or personal? Any trips planned?
A: We do have spring break coming up and are fortunate enough to be going to Hawaii. I think the one fun thing is that, when you start to use FAIR and think about risk, you find it creeps into day to day life and you start thinking, gee, if we did that, if we try that, what could happen, what’s the exposure if I take a surfing lesson, having never set foot, and how high a wave do I think I can handle? It’s been funny to see how it creeps into daily life without you realizing it.
Q: Well, I hope you come back safely.
A: I’ll sit there with, Loss Frequency, 6- foot waves, pretty high, Loss Magnitude, yup. I will let you know how it goes.
Q: Thank you so much for taking the time, and hope to talk to you again soon,.
A: Thanks, Luke, appreciate it.