SEC Cyber Risk Disclosure Guidance, KRIs for Cybersecurity, Risk Trends for Boards – Most Popular FAIR Institute Blog Posts of 2018

FAIRCON 2018 CrowdThe Securities and Exchange Commission, the European Union and the International Monetary Fund all pointed cyber risk managers toward cyber risk quantification in 2018, and many of our most popular blog posts covered the pressures from regulators and boards of directors to improve cyber risk reporting.

Blog readers were also looking for advice on the how-to of implementing a FAIR risk quantification program and found it with Meet a Member interviews with key executives at McAfee, Cisco and other leading companies. Coverage of the 2018 FAIR Conference was the single most read topic on the blog – or most-watched, as we posted many videos of the conference sessions.

Here are the ten most popular posts published in 2018 on the FAIR Institute blog.

#1 3 Risk Identification Questions You Should Be Asking

The most popular blog post published in 2018 covered the key questions that should be a part of every risk identification effort, especially when quantitative analysis is new to an organization.

  • Where are we experiencing loss today?
  • What keeps you up at night?
  • What are our most valuable assets, and what could happen to them that would lead to loss for our organization?

Jack Jones Speaks FAIRCON18 A#2 Ponemon Report on the True Cost of Compliance -- A Missed Opportunity

FAIR creator Jack Jones applies some critical thinking to claims that the “more you spend on security the less likely you are to experience adverse events” and finds plenty of holes. This post is a primer on how to skeptically interpret industry reports on the state of cybersecurity.

#3 KRIs for Cybersecurity: Canaries in Coal Mines

Jack Freund, co-author with Jack Jones of the FAIR book, on how to interpret warning signs in a risk management program.

#4 The SEC's New Cyber Risk Disclosure Guidance: Textbook Case for FAIR

The powerful regulatory agency shook up infosec teams, senior management and boards with its new disclosure guidance issued in 2018 that raised the bar on how cybersecurity risk is to be managed and reported—quantitative cyber risk analytics and the FAIR model suddenly went from nice-to-have to must-have for public companie

#5 OCTAVE FORTE and FAIR Connect Cyber Risk Practitioners with the Boardroom

Carnegie Mellon University’s Software Engineering Institute (SEI) recognized the importance of FAIR by recommending the risk quantification model be used with its OCTAVE risk management framework. The SEI’s Brett Tucker explains how the two work together to “provide a complete qualitative and quantitative picture of organizational risk.”

Omar Khawaja Highmark Health FAIRCON 2018#6 FAIRCON 2018 Day One: Risk Management Tips from Highmark Health, Walmart, PNC -- And a Party at the Warhol

The third annual FAIR Conference, held at Carnegie Mellon University in Pittsburgh in October, attracted a record crowd, and high interest in Conference coverage on the Institute blog – altogether those posts were the single most-read topic of the year. See some highlights here:

and see the complete coverage of the 2018 FAIR Conference.

#7 IMF Chief Says Finance Sector Urgently Needs Cyber Risk Quantification

Similar to the SEC’s disclosure guidance for U.S. public companies earlier in the year, this warning from Christine Lagarde, Managing Director of the International Monetary Fund, forcefully brought cyber risk quantification to the forefront in the banking sector.  This post by Institute CEO Nick Sanna explains how FAIR is the best answer to Lagarde’s concerns.

James Lam Speaking at FAIRCON18#8  Five Critical Cybersecurity Trends that Boards Need to Know

James Lam, Director at E*TRADE Financial, and Chair of the board’s risk oversight committee, correctly predicted that boards would demand better cyber risk reporting in 2018, inevitably leading to more use of cyber risk quantification models. James later was a keynote speaker at FAIRCON18; see his talk on the future of cyber risk.

#9 How to Analyze Your Risk from GDPR: A FAIR Approach

The European Union’s new privacy regulations went into effect in May, proposing stiff fines for companies that didn’t make a “reasonable” level of protection of personal – with no definition of “reasonable.” That left companies scrambling to understand how much to invest in enhanced security to meet the regulations, based on no available past data. That’s a classic problem to solve with the FAIR model, as this post explains.

Grant-Bourzikas-CISO-McAfee2#10  Meet a Member: Grant Bourzikas, CISO and ‘Customer Zero’ at McAfee

What better endorsement for the FAIR method than this?  McAfee, the cybersecurity industry leader, chose the FAIR model to power its own cyber risk analyses.  In this interview, CISO Grant Bourzikas describes introducing FAIR to his organization, combined use with maturity models, and success at reporting to the board.  In other Meet a Member blog posts this year, we met FAIR enthusiasts from Cisco, Arizona State University, Highmark Health and PwC.          

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37