I had heard that SIRACon, the annual event hosted by the Society of Information Risk Analysts, was one of the two big opportunities of the year to hear the best thinking – and have the best hallway conversations – about risk analysis and risk management (FAIR Institute’s FAIRCON is the other). For a first-time attendee, SIRACon18 lived up to its reputation.
The conference was hosted in hipster headquarters: Starbucks Center in Seattle. (Yes, delicious coffee was provided, and each day began with coffee tasting). The attendees wore nametags without titles or companies; I believe this helped foster organic conversations about concepts before companies. Most importantly, the speakers delivered on an assortment of relevant topics which sparked great discussion.
My main takeaways can be grouped into three themes:
The tagline for the conference was Data > Dogma. It was recognized that conventional wisdom in our profession, which opines that information risk is unquantifiable and captured only by high/medium/low ratings, should not dictate behavior. Risk should be measured so that it can be managed (and - with new SEC guidance and requirements on reporting cyber risk just issued, for publicly traded companies "should" has now become "must!")
The idea that data should inform decisions, not simply subjective judgment and ‘best practices,’ was prevalent throughout the presentations. In short, in light of the dictum Data > Dogma, speakers did not debate if information risk could be quantified, rather they simply discussed how it could be best quantified.
Fun fact: One speaker conducted a live, online poll of the audience to see what books have been read. In a span of a minute or two, we saw results reflected in the colored pie chart on the screen. Quite fittingly: Jack Jones and Jack Freund’s Measuring and Managing Information Risk: a FAIR Approach and Douglas Hubbard’s How to Measure Anything were read the most.
It was refreshing to see how candid the speakers were in sharing ideas. Data collection methods: e.g. how to vet the quality of data, how to infer insights from unstructured data, how to combat cognitive bias when collecting data, or how to improve one’s calibration, etc., were graciously shared. It was evident that the room recognized that sharing experience and engaging in dialogue with other information security professionals is a great means of making progress in our profession.
Fun fact: The Open FAIR standard was referenced throughout the conference. It was interesting to hear about specific use-cases of how FAIR practitioners are leveraging the model to conduct value-adding analyses for their organizations. Based on this sample of risk professionals, I can say that the future (and present) of FAIR is bright!
One person at my table observed that there weren't many death-by-PowerPoint presentations which was refreshing. Instead, there were some really aesthetically pleasing presentations.
The reason I want to emphasize this point is simple: you can have really good ideas and/or quantitative data, but if you cannot communicate clearly or present in a way that is palatable to the audience, then your ideas and data will not be heard.
I would wager that a good portion of information security professionals are not equally skilled with mad artistic/visual design skills. The sad consequence of that is: superb work can sometimes be under-appreciated or overlooked simply because the material was not presented in an easily digestible way to non-infosec people. However, for whatever reason, the majority of SIRACon speakers managed to break the mold and masquerade as presentation pros. Kudos!
Fun fact: Presentations were animal-inclusive. Both cats and dogs were presented with cute pictures. Who knew cats and dogs could be so complementary to information risk storytelling?
What were your takeaways from SIRACON18? Leave me a message in the comments section below.