One of the significant hurdles we have to overcome as a profession is our addiction to “zero cost” risk measurement. Let me explain…
Take notes on this webinar by Gregory Rothauser, lead information risk manager at Mass Mutual, the Fortune 100 insurance firm, if you’re looking for a case study on how to quickly and effectively implement FAIR quantitative risk analysis, especially if you’re subject to the New York Department of Financial Services rules mandating periodic, documented risk assessments.
Organizations with a mix of cutting-edge technologies and legacy systems need adaptable, agile frameworks that provide executives with a real-time view of cyber risks. They also need tools and processes to ensure that everyone from executives to practitioners practice sound, consistent risk management.
This is what a movement looks like. Membership in the FAIR Institute has now passed 3,000, about double the level of a year ago, as cyber risk quantification wins converts across industries
The FAIR Institute breakfast during the recent Gartner Security & Risk Management Summit was an opportunity for FAIR newbies to soak up advice from veteran practitioners.
OK, so Warren Buffet didn't really give information security advice. He gave investment advice. Risk management's objective, which I believe is the foundation of information security, is to make good investment decisions.
I’ve heard it many times – “Why can’t we just do this analysis over the whole IT environment? Why do we need to pick a specific asset or population or assets?”
Sometimes, the most mathematically oriented risk officers we meet ask this question: Is FAIR a Value-at-Risk (VaR) model? This happens mostly with risk officers who have extensive experience in credit risk, operational risk and market risk
Omar Khawaja, the CISO at Highmark Health, is building one of the more ambitious programs to introduce FAIR we’ve heard of, in the complex risk environment of a company with insurance, hospital, retail eye care, and other health-related businesses.