NACD Cyber Risk Oversight Handbook Endorses Quantification, Cites FAIR - with Help from FAIR Inst. Members Nick Corzine and Ben Havelka of Centene
If you’re looking for a great tool to promote FAIR and the quantitative approach to your board of directors, send them the Cyber-Risk Oversight 2020 handbook from the National Association of Corporate Directors and the Internet Security Alliance. It gives a new and clear direction to boards to oversee cyber risk based on quantitative analysis—and cites FAIR as one of the models to use.
“By calculating the degree of their financial exposure to cyber risk, organizations can better determine where to place and prioritize their cybersecurity investments to address the greatest, most impactful risk,” the handbook says.
The NACD suggests that directors ask some pointed questions, fully answerable only with financial analysis of risk, not “maturity models” or other tech-speak, including:
- What, in quantitative terms, is our risk appetite and how is it measured?
- How do we measure the effectiveness of our cybersecurity program?
- What is our annual cyber risk expected loss value?
This FAIR-friendly point of view is in part due to the handbook’s contributors from Centene Corporation, the Fortune 50 healthcare company and a long-time FAIR risk management organization, including
- Chief Security Risk Officer Lou DeSorbo
- Director of Cyber Threat Management Geoji Paul
- Ben Havelka, Senior Risk Analyst - Quantitative Cyber Risk Analysis
- Nick Corzine, Manager, Quantitative Cyber Risk Analysis. Nick also co-chairs the St. Louis chapter of the FAIR Institute.
We talked to Nick and Ben about the significance of the NACD handbook and their advice for putting it into practice for cybersecurity risk management teams reporting to the board:
Q: What’s new regarding cyber risk, compared to previous editions?
Nick: There is added emphasis on what type of metrics board member should be expecting their cyber security teams to provide. The guidance in the previous edition was focused around management within cyber security deciding what is appropriate to provide to their executive leaders.
Now there is a bit more of a shift to bringing to light what is possible for security teams to show their boards and encouraging board members to expect their cyber security teams bring them a robust level of analysis going forward.
Q: Was there debate over the importance of quantitative cyber risk analysis or is that a settled issue?
Ben: This issue seems to have been settled and there is no debate on its usefulness. Other departments within organizations have been providing quantitative analyses to board members year after year and they know it is time for cyber to do so as well.
The debate is primarily around where to begin and what key indicators are most important to board members. Part of that I think largely depends on the board’s understanding of cyber risk and risk quantification. You may have better luck starting with more easily digestible metrics such as average annual loss and increasing in complexity as support grows.
Q: How is FAIR considered in the handbook? What recommendations, though they don’t mention FAIR, point to use of FAIR.
Nick: FAIR is referenced as a quantitative analysis method to look into and potentially pursue in order for an organization to walk down the path of improved cyber risk analysis. There is mention of other methods such as Monte Carlo simulations. Concepts such as establishing risk tolerance and appetite are brought up as well. All of which are cornerstones to the FAIR framework.
Q: How does the handbook (or your advice) recommend that boards or security management get started with quantitative reporting and in particular, transition from a standards-compliance approach?
Ben: Supplement, not replace, current processes to begin with. Standards and compliance reporting are important metrics to many directors; however, if they are only seeing reports of arbitrary scores and colors, directors should be asking, “So what, how much risk do we have? What are our top risks? How will these risks impact us financially if realized?”
We recommend that risk management teams allow for a side by side comparison to showcase the benefits over more traditional compliance approaches.
Q: The handbook poses a series of questions for boards to answer regarding cybersecurity measurement and reporting. How does FAIR help answer those?
Ben: FAIR helps to answer these questions in financial terms – how much and how effective will our investments buy down risks. We want to SEE how much an effect it has. Board members expect to be presented with information that they can immediately process what sort of effect there is when an investment in a particular control is made. FAIR enables teams to lean towards data and visualizations that allow boards to interpret what a monetary investment can accomplish. You can see the actual change and better rationalize or justify an investment.
Q: What’s been Centene’s FAIR journey and how is FAIR currently used?
Nick: Our organization has a strong appetite for using objective and mathematical approaches to solving problems. So, when we joined the team in 2019 many of our risk analyst had already been introduced to FAIR; some already trained and certified.
Today, our team extends services to many other groups/functions in the organization so we rely on a variety of quantitative methods in our risk management program; however, FAIR stands out strongest in its ability to get teams thinking about and speaking about risk in the same way.