RSA had teed up the interest by naming FAIR among the major themes of the year in its Trend Report, then scheduled multiple FAIR-themed sessions, including appearances by FAIR book co-author Jack Freund and by FAIR practitioners from NASA, ADP, PNC Bank and others.
More than 100 new members have signed up for the FAIR Institute in the first days of RSAC 2020. And the Institute’s annual breakfast, held Wednesday morning filled every seat in the room. Also a sellout: the Sunday and Monday FAIR Fundamentals training course, taught by RiskLens Academy.
Did you attend the 2020 RSA Conference? We want to hear what you found most informative and your take on the maturity level of the cybersecurity profession. Take our short survey!
FAIR Institute President Nick Sanna opened the breakfast event with an update on Institute membership – now over 7,700 with 1,000 joining in the last 100 days. One of the drivers, he said, was the increasing acceptance by risk management authorities: major frameworks NIST CSF and COSO ERM point to the FAIR standard, and leading consultancy Gartner is urging the move to risk quantification
Coming soon to the FAIR Institute website: Complete video of the FAIR Breakfast during RSAC 2020.
Key Points from Jack Jones and CISOs on Adopting FAIR
Jack was joined by CISOs Mark Tomallo of Ascena Retail Group and Christopher Porter of Fannie Mae for a ground level view of introducing and fostering cyber risk quantification in a large organization. “It’s a change management exercise,” Jack said. “You’re changing the way people perform their jobs and make decisions…It’s a bit of a minefield but there are ways to navigate it.”
Jack identified the two biggest change management obstacles are attitudes that quantification is “too difficult” and the usual, subjective approach to risk analysis is “good enough”. In fact, “there’s no advantage to doing really easy risk management” which may seem to be “no cost up front but all the cost comes later” when unanticipated losses hit.
Jack laid out a roadmap for FAIR adoption that starts with the “Why”, the result of conversations with stakeholders to discover the pain points in the organization. “If you understand the obstacles and pain points, you can choose a starting point that can vastly improve your outcomes.” Then launch your program with the idea that “it’s a continual evolution.”
Jack Jones’ Roadmap for a Quantitative Risk Management Program
Start by applying high level FAIR analysis to your list of top risks to triage them. “You can get a tremendous amount of clarity about what matters in your risk landscape without a lot of investment,” Jack advised.
“The more you go up the scale, the more resources required but the more value you get.” With increasing staff sophistication, a risk quantification platform (such as RiskLens, by the technical adviser to the FAIR Institute) and expert help, a program goes up the scale to provide operational decision support (for instance, through cost-benefit analyses) then strategic decision support (such as management of a risk portfolio) and finally to “cyber risk management nirvana,” automated decision support with a real-time risk dashboard.
“There’s no single starting point – but the point is to get started “solving problems sooner rather than later.”
Fannie Mae CISO Chris Porter: FAIR Supports Many Kinds of Business Decisions
Chris gave examples of how FAIR revealed insights for cost-cutting that went beyond bread-and-butter decisions on comparing cybersecurity controls. Fannie Mae was able to reduce its exposure to potential data breach credit monitoring and notification costs by changing contracts to eliminate holding Social Security numbers and reduce its cyber insurance premiums by fine-tuning the policy to avoid over-paying for lower risks.
Ascena Retail CISO Mark Tomallo: Make a Careful, Phased Effort to Socialize FAIR
Mark described a well thought-out plan to engage different stakeholders, starting with switching to FAIR nomenclature in all risk conversations, involving SME’s and line-of-business owners to create loss tables, gathering top risks lists from VPs, running FAIR analyses in stealth mode and exposing results to stakeholders when it serves their interests. Mark said he knew he was succeeding when he turned back a finding from audit on a “material weakness” over default passwords that, under FAIR analysis turned out to be a negligible risk.
Coming soon to the FAIR Institute website: Complete video of the FAIR Breakfast during RSAC 2020.
Related:
Webinar on Demand: How Fannie Mae Integrates FAIR™ Cyber Risk Analysis and Threat Intel