Tom Callaghan and Christophe Foret pioneered FAIR™ in Europe, both as founders of the Paris Chapter of the Institute and of consulting firm C-Risk, the European leader in cyber risk quantification services.
In this talk with Luke Bader, Director of Memberships and Programs, Tom and Christophe cover
- “Solution fatigue” – How cybersecurity professionals are overwhelming themselves with controls pushed by the hundreds of the vendors. “How do you prioritize a security program? That’s the big challenge.”
- Their recommendations for first steps to launch a FAIR program
- How they use FAIR to align lines of business owners with IT and infosecurity staff
Watch the podcast or read the transcript below…
Luke: Hello everybody, thank you very much for tuning in today to our Meet a Member podcast. My name is Luke Bader, I’m Director of Membership and Programs at the Institute and with me today are two very engaged members, two guys from Paris, France, our first international, non-US-members joining me in the Meet a Member podcast: Tom Callaghan and Christophe Foret, they are the co-founders of C-Risk, and they are also the co-chairs of the Paris local chapter.
Hello, gentlemen, thank you very much for being with me here today.
Tom: Hello, Luke, it’s a pleasure to be here today to talk to you.
Christophe: Hello, Luke.
Luke: How did you both hear about and start to get into FAIR?
Tom: Christophe and I come from a consulting background. Almost four or five years ago, we were working with a number of clients on moving services to the cloud, and having these endless discussions about, “Is it risky?”.
Nobody could describe what the risk was, or agreed what the scenario was. The business teams wanted to do it, the IT teams were afraid, some people were pushing it too quickly. We were looking for a way of structuring those conversations.
We came across FAIR, we a reached out to Nick (Nick Sanna, FAIR Institute President), we had some conversations and here we are now, four or five years later.
Luke: We can’t believe it’s already been three years since the Paris chapter got set up and it’s starting to take hold now and take off rapidly. I’m so very excited about that.
You’ve been using FAIR for a number of years. How has it provided value to your business?
Tom: There’s loads of different areas. Just off the top of my head, we can move from a compliance- controls-based conversation on information security to something which is more about business. It allows us to talk to non-technical people about cyber risk, which was something very hard in the past. It allows us to think about things in a clearer fashion. One of the great things about FAIR is you clearly define, using the taxonomy and the ontology what you are really talking about in the scenario. It helps me personally just to really better understand something and how its influenced.
Christophe: I’d say while we all talk about financial quantification, the actual benefit of using a more detailed and more precise taxonomy starts way before and kind of quite rapidly in helping, as Tom was pointing out, business, IT and infosec teams talk the same language and suddenly triage, what otherwise has been a confusion between risk and threats and assets and number of things that are not risk, they are components of risk, not actual risk.
Luke: We’ve heard that -- having unifying language – from a number of members. It’s great to hear that consistency is happening everywhere.
I’d love for you to explain the growth that’s happening in the region and talk a little bit about your involvement with the chapter.
Tom: We set up the first Paris chapter – or French chapter in a way – back in 2017. It feels like it was yesterday. We do meetings once a quarter at the very least, sometimes a little more frequently. We’ve seen our membership rise to almost one hundred people now, which is great.
The chapter meetings started off really small and now we’re starting to get a more diverse membership. We’ve got people from banks, from industrial companies, from fellow independent consultants. We have people coming from larger industry names in the consulting business.
In each meeting, we’ve developed this format. For the first of the meeting, we explain what FAIR is for the newcomers, and we typically get someone new every time so we kind of level set and I think it helps some of the existing members as well to hear the story again and go through the model.
And for the second half, we do a use case. It can be a use case that Christophe have come across or maybe we ask someone from the audience to bring us through an experience. Most recently, it was something around GDPR, which is really a big topic in Europe right now. We had a great conversation about how you can take GDPR and break it into a number of different risk scenarios. And it also lets you think in more kind of a rational manner about fines and judgments in that space but also the other kinds of losses associated with GDPR.
Luke: That’s a great way to do a meeting. All the feedback we get from members is that they want to continue to see those use cases to see how other members in other companies are using FAIR.
You teed me up perfectly for my next question. Some of the key issues that you’re seeing facing the risk management industry, specifically in your part of the world?
Tom: That’s a good question. We were at a big conference last week around cybersecurity and one of the things we’ve seen is that there’s what I call solution fatigue. There are hundreds and hundreds of new solutions on the marketplace, lots of different controls and I think a lot of people just don’t know where to start. How do you prioritize a cybersecurity program? That’s a big challenge.
The vendors are bringing innovations to the marketplace, but it does create hype and noise as well. That’s one of the things that’s top of mind to me.
Christophe: In addition, one thing that struck us at that tradeshow: Even the usual owners of the cybersecurity domain are actually reaching out to other functions in the organization, the line of business leaders, the executives, because they can no longer just handle it from a technology standpoint. They really need to align all the enterprise parts and functions around how to tackle the cyber risk which has become one of the more important operational risks.
Tom: It’s this lack of alignment between technical, business and governance. That’s a big challenge and super-important to fix.
Luke: For people who are just starting out to build a program with FAIR, what are the top two or three things they should start to do first.
Tom: The most important thing is to level set on terminology and the FAIR taxonomy and ontology. So, the first thing we would recommend is, do some sort of training program, get a core team together, make sure everybody understands the model, and you don’t have to go as far as doing detailed quantification. It’s about understanding how to take a scenario and express it using FAIR. If you can just get that right, you’ll get huge value.
Luke: Certainly, and we do offer training courses in partnership with our technical adviser, RiskLens. We have a lot of information on our website about that. Christophe, anything to add?
Christophe: I think it starts with taxonomy and associated method work. And then possibly tackle a few of the misconceptions that still exist about what it takes to quantify. It’s actually a lot easier and a lot quicker to start gaining some benefits, not just from the taxonomy but also from the financial quantification of risk which is really what business needs to understand what’s at stake for the organization and how in the business they can tackle that growing issue within the organization.
Luke: Wrapping, for your goals in 2020, in your day jobs, outside of work and for the FAIR Institute, what do you see, what are you working on in 2020?
Tom: We think 2020 is going to be a big year in quantification. Sounds kind of cheesy but it’s true. We are seeing this kind of tipping point in the industry. We’ve been at this for four or five years now, and we see more interest in the start of this year than we’ve ever seen in the past. So, we’ve got really ambitious goals, for C-Risk, our consulting business, just to really drive adoption and develop a series of offerings around awareness and training, for people to really understand what FAIR is, and also to model some of those risk scenarios in such a way it can help customers scale up quickly and facilitate the adoption of the model.
Christophe: And we also want to continue to participate in the FAIR Institute activities. Our next meeting is March 18th, a breakfast in downtown Paris and we also are looking into ways maybe be setting up the first European FAIR conference in the fall of this year.
Luke: I’m excited for that. We do our big conference every year, this year at the beginning of October but we are looking to set up our first FAIR European summit sometime in September before that conference for those who can’t join us in the United States. So, fingers crossed that I get to come to that as well.