Join me in this conversation with two of our most insightful – and experienced – FAIR practitioners: Tyanna Smith, a former risk consultant for RiskLens, and Jack Whitsitt, formerly the FAIR lead at Bank of America, both now running FAIR risk management for Datto, the services provider to MSPs (Jack is Senior Security Engineer, Tyanna Cyber Risk Program Manager). Jack is an advisory board member for the FAIR Institute and both he and Tyanna serve as board members for the Society of Information Risk Analysts (SIRA).
On how they first heard about FAIR
Jack: “Somebody ranting about it on Twitter on how it was going to save the world…I was initially a skeptic.”
FAIR educator Mike Jerbic at San Jose State University introduced Tyanna to FAIR – “I took the red pill, and I couldn’t look back after that…Little did I know it was going to lead to a career in cyber risk.”
On the benefits of cyber risk quantification
Tyanna: “The biggest aspect that I have seen is being able to level set and talk on the same plane…Like what is a vulnerability? No one really knows.”
Jack: “When you ask people what their security program is for, very often they start talking in circles…Ask what that means for the business and you realize people don’t actually know where they’re going… By lensing your risk into a quantified dollar amount, you start creating real plans to reduce risk.”
On tips for communicating cyber risk to the board and the business
Tyanna says she and Jack have been most successful by “figuring out the objective of the stakeholder” and trying to solve for that business problem. And, Jack adds, by meeting stakeholders where they are in terms of relevant metrics – that might mean annualized loss exposure (ALE) for a CISO trying to manage budget to a risk appetite but understanding frequency and magnitude of tail events for a finance officer planning capital reserves against worst-case scenarios.
Key developments they see in risk management today
Tyanna: “I am noticing is that there is an interest and an appetite in quant risk in each of the aspects of infosec and security as a whole.”
Jack: “We treat quantification as an add-on to our risk management approach…It should be the center because that’s the target we are trying to get at.”
More from Jack and Tyanna