The Securities and Exchange Commission, the European Union and the International Monetary Fund all pointed cyber risk managers toward cyber risk quantification in 2018, and many of our most popular blog posts covered the pressures from regulators and boards of directors to improve cyber risk reporting.Blog readers were also looking for advice on the how-to of implementing a FAIR risk quantification program and found it with Meet a Member interviews with key executives at McAfee, Cisco and other leading companies. Coverage of the 2018 FAIR Conference was the single most read topic on the blog – or most-watched, as we posted many videos of the conference sessions.
Here are the ten most popular posts published in 2018 on the FAIR Institute blog.
#1 3 Risk Identification Questions You Should Be Asking
The most popular blog post published in 2018 covered the key questions that should be a part of every risk identification effort, especially when quantitative analysis is new to an organization.
- Where are we experiencing loss today?
- What keeps you up at night?
- What are our most valuable assets, and what could happen to them that would lead to loss for our organization?
#2 Ponemon Report on the True Cost of Compliance -- A Missed Opportunity
FAIR creator Jack Jones applies some critical thinking to claims that the “more you spend on security the less likely you are to experience adverse events” and finds plenty of holes. This post is a primer on how to skeptically interpret industry reports on the state of cybersecurity.
#3 KRIs for Cybersecurity: Canaries in Coal Mines
Jack Freund, co-author with Jack Jones of the FAIR book, on how to interpret warning signs in a risk management program.
#4 The SEC's New Cyber Risk Disclosure Guidance: Textbook Case for FAIR
The powerful regulatory agency shook up infosec teams, senior management and boards with its new disclosure guidance issued in 2018 that raised the bar on how cybersecurity risk is to be managed and reported—quantitative cyber risk analytics and the FAIR model suddenly went from nice-to-have to must-have for public companie
#5 OCTAVE FORTE and FAIR Connect Cyber Risk Practitioners with the Boardroom
Carnegie Mellon University’s Software Engineering Institute (SEI) recognized the importance of FAIR by recommending the risk quantification model be used with its OCTAVE risk management framework. The SEI’s Brett Tucker explains how the two work together to “provide a complete qualitative and quantitative picture of organizational risk.”
#6 FAIRCON 2018 Day One: Risk Management Tips from Highmark Health, Walmart, PNC -- And a Party at the Warhol
The third annual FAIR Conference, held at Carnegie Mellon University in Pittsburgh in October, attracted a record crowd, and high interest in Conference coverage on the Institute blog – altogether those posts were the single most-read topic of the year. See some highlights here:
- [Video] James Lam’s FAIRCON18 Keynote on ERM, Cybersecurity Oversight and Cyber Risk's Future
- FAIRCON18 Video: A Master Class on Reporting Cyber Risk to the Board
- FAIRCON18 Video: How to Identify Key Risk Indicators (KRIs) for Cybersecurity
and see the complete coverage of the 2018 FAIR Conference.
#7 IMF Chief Says Finance Sector Urgently Needs Cyber Risk Quantification
Similar to the SEC’s disclosure guidance for U.S. public companies earlier in the year, this warning from Christine Lagarde, Managing Director of the International Monetary Fund, forcefully brought cyber risk quantification to the forefront in the banking sector. This post by Institute CEO Nick Sanna explains how FAIR is the best answer to Lagarde’s concerns.
#8 Five Critical Cybersecurity Trends that Boards Need to Know
James Lam, Director at E*TRADE Financial, and Chair of the board’s risk oversight committee, correctly predicted that boards would demand better cyber risk reporting in 2018, inevitably leading to more use of cyber risk quantification models. James later was a keynote speaker at FAIRCON18; see his talk on the future of cyber risk.
#9 How to Analyze Your Risk from GDPR: A FAIR Approach
The European Union’s new privacy regulations went into effect in May, proposing stiff fines for companies that didn’t make a “reasonable” level of protection of personal – with no definition of “reasonable.” That left companies scrambling to understand how much to invest in enhanced security to meet the regulations, based on no available past data. That’s a classic problem to solve with the FAIR model, as this post explains.
#10 Meet a Member: Grant Bourzikas, CISO and ‘Customer Zero’ at McAfee
What better endorsement for the FAIR method than this? McAfee, the cybersecurity industry leader, chose the FAIR model to power its own cyber risk analyses. In this interview, CISO Grant Bourzikas describes introducing FAIR to his organization, combined use with maturity models, and success at reporting to the board. In other Meet a Member blog posts this year, we met FAIR enthusiasts from Cisco, Arizona State University, Highmark Health and PwC.