Scaling Quantitative Cyber Risk Management: 6 Questions We’ll Answer at the 2022 FAIR Conference
The FAIR Conference brings together experts, practitioners, and learners of Factor Analysis of Information Risk (FAIR™), the international standard of risk quantification for cyber, technology and operational risk. This year, the conference theme is “Scale”” in recognition that awareness, knowledge, and trial of FAIR has spread so far so fast that the urgent questions now are no longer “What is it?” but “How can we grow a risk-based program with FAIR and reap the benefits ASAP.”
Attend FAIRCON22 and expect some authoritative answers from conference sessions to these questions (and more) about scaling risk management with FAIR cyber risk quantification.
Register for the 2022 FAIR Conference, Tuesday and Wednesday, September 27-28, and attend in-person at the Mandarin Oriental Hotel, Washington, DC or online at the virtual conference.
See the full agenda for FAIRCON22
1. Where do I start?
Answer: By educating your team and stakeholders about FAIR. Moving to a quantitative, risk-based program from a compliance-driven or qualitative risk assessment mentality is a culture shift. Your organization needs to be walked through an education to they are fully bought-in
Attend these sessions:
- Panel: Driving Culture Change - From a Compliance to a Risk-based Approach to Cybersecurity, 10-10:45 AM Tuesday, a CISO panel led by Omar Khawaja of Highmark Health
- Case Study: Five Objections to FAIR and How to Overcome Them, 2:15-3:00 PM Tuesday, led by Tony Martin-Vegue and Prashanthi Koutha of Netflix.
2. What resources do I need?
Answer: The 5 Ps: a well-defined purpose, the right people, a FAIR-based analysis platform, a process for top risk assessments and other analyses, and performance measures for reporting on risk in ways useful to decision-makers.
Attend this session:
- Case Study: Building a Strong Foundation for Your Quantitative Risk Management Program, 3:45-4:30 PM Wednesday, led by Tim Wynkoop of Equinix.
3. How do I start to achieve acceptance?
Answer: with some quick wins. Good advice is to understand where the pain points lie in current risk management and apply FAIR there.
Attend these sessions
- Case Study: “FAIR: Okay, Now What?” - Steps to Set Up a Quantitative Risk Management Program at Any Organization, 1:00-1:45 PM Tuesday, led by Michael Meis, Kansas University Health.
- Presentation: Expedia Groups’ Approach to Build an Effective Security Risk Management Program using FAIR, 1:45-2:30 PM Wednesday, led by Krishna Sheshabhattar of Expedia and Randy Spusta of IBM Security.
4. How do I normalize quantitative risk management?
Answer: By establishing a permanent place for FAIR in ongoing processes, such as risk governance or risk register maintenance.
Attend these sessions:
- Case Study: Embedding CRQ in the Infosec Governance Process of a Fast-Growing Pop Culture Retail Organization, 3:30-4:15 PM Tuesday, led by Markus Kaufmann of Funko
- Case Study: Refining the “R” in GRC at Scale, 2:30-3:15 PM Wednesday, led by Michael Radigan of Cisco.
5. How do I make FAIR analysis a must-have input for making decisions?
Answer: This is cutting edge but…apply the newest development, FAIR-CAM™ (FAIR Controls Analytics Model) for cost benefit analysis on an entire cybersecurity program.
Attend these sessions:
- Presentation: How to Scale FAIR Programs with Controls Analytics, 1:00-1:45 PM Tuesday, led by Bryan Smith, CTO, RiskLens and Jack Jones, Chairman FAIR Institute, Chief Risk Scientist RiskLens.
- Case Study: Quantifying the Control and Risk Landscape Using FAIR-CAM, 1:45-2:30 PM Wednesday led by Tyler Britton of Dropbox.
6. How do I win acceptance for FAIR throughout the business?
Answer: Show the business value of quantification to your enterprise risk management team, senior management and board.
Attend these sessions:
- Panel: Communicating Cyber Risk to the Board and the Business: How Is It Changing?, 9:45-10:45 AM Wednesday, led by Julian Meyrick of IBM
- Presentation: Managing Cyber Risk as a Strategic Enterprise Risk, 11:15 AM-12:00 PM Wednesday, led by John Button of Gartner.