October 14, 2016 marked the first ever gathering of information security and operational risk professionals at FAIR Conference. Visionary leaders and market commentators at the conference shared powerful insights and discussed a range of topics ranging from the management of cyber risk from the business perspective, to the implementation of risk quantification programs and the lessons that come with it, to future industry trends. The conference was one we will remember for years to come for the quality of the speakers and of the content. There were a few standout moments that we are likely not to forget.
"It was a very impressive event. It’s a high standard for the future." commented Jeffrey Kutler, Editor in Chief, Global Association of Risk Professionals
Jack did it again...
Jack Jones, the author of FAIR and the chairman of the FAIR Institute, never ceases to surprise us. Just when we think that we have finally got how FAIR can transform how risk can be assessed, communicated and managed, he stretches our thinking and shows us how much further we can go. His captivating keynote presentation led the audience into the future of information and operational risk analysis. Jack showed us how far we have gone in the profession through the application of formal risk models, the use estimation and calibration methodologies, better data sources, improved risk analyst skills and advanced risk analytics solutions. He then opened a window into a future where automation will play a big role in risk analysis, thanks to advances in data aggregation, machine learning and adanced simulation of possible loss scenarios. You can listen to his keynote again here.
The two panels provided the audience with great insight into the real-life experience of executives and practitioners, as they drive change in their organization.
- The CISO panel focused on "How to effectively communicate cyber risk to the board and the business". As cyber risks have gotten so big to command the board's attention, many CISOs find themselves ill-equipped to communicate about cyber risk in the financial language that the board and the business understand. This is where FAIR is proving instrumental in helping translate security and risk information in dollars and cents and in demonstrating the value of cybersecurity. Excerpts of the comments shared by Jasper ssentjuk (CISO at Transunion), Kelly Uhrich (Deputy CISO at Key Bank), Laz Lazarikos, (CISO at vArmor) and moderator Jack Jones (3x CISO) will be shared in an upcoming blog post.
"The board is increasingly asking to understand the financial impact of our (cybersecurity) initiatives. Red, Yellow, Green is not cutting it anymore", said Jasper Ossentjuk, CISO at Transunion
- The FAIR practitioner panel addressed the opportunities and challenges in building a quantitative risk management program. The panelists shared great insights into how they have been winning hearts and minds via quick wins and what it takes to further operationalize quantitative analysis in day-to-day decision making processes. You will be able to hear comments shared by Steve Reznick (Director of Operational Risk Management at ADP), Jack Freund (Sr. Manager Cyber Risk Framework at TIAA), Jonathan Beck (SVP-Director, Infosec Risk Mgmt. at PNC Bank), Chip Block (VP Evolver) in a future blog article.
"Critical thinking, business acumen, inherent drive, and then a background on security. All qualities for a new risk analyst." Evan Wheeler, VP Operational Risk at DTCC
Topical Case Studies
The case studies scored high marks in the surveys received after the conference, as the attendees found them very topical.
- The first case study on "presenting the top 10 risks to the board" was more strategic in nature. FAIR experts Chad Weinman and Isaiah McGowan from RiskLens skillfully guided the audience through the analysis and reporting process they have seen successful at large organizations.
- The other case study was meant to be more tactical and shared the step-by-step experience of how to conduct an actual risk analysis using FAIR. Who would have known that Tony Martin-Vegue's (Cyber Risk Mgr. at National Mortgage Insurance) case study on "Measuring DDoS risk using FAIR" would be so timely, given the massive denial-of-service attacks that many US corporations suffered the following week?
"The case studies were great ways to better understand FAIR and how it's being used.", commented Don McKweon from Logmein.
Also, we received very positive feedback for accepting nominations and for recognizing risk management leaders that are leading the transformation of their organizations to quantitative and business-aligned risk management programs through the use of FAIR.
The 2016 FAIR Awards honored risk management leaders for their initiative, ingenuity and contributions to information and operational risk management. By enabling operational excellence and effective decision-making, they help achieve the balance required to successfully protect their organizations while seamlessly running the business.
Congratulations again to Chris Cooper, VP, Operational Risk and Chief Compliance Officer at Reinsurance Group of America (RGA) for winning the 2016 Business Innovator award and to Joel Baese, Sr. Risk Manager at Walmart for winning the FAIR Champion award. The FAIR community is fortunate to have such role models.
One of the unique elements of our Conference was the level of networking and the openness with which the attendees shared their experiences and learnings with one another. Between each session and during the breaks, attendees were engaged in powerful conversations with one another.
"It was surreal to be in a room with so many people dealing with the same issues and challenges we face every day. I look forward to supporting and leaning-on peers as we work to improve our risk practices." shared Jonathan Beck, SVP-Director, Information Security Risk Management at PNC Bank.
These moments of networking provided some of the most valuable takeaways from the Conference and we were thrilled to see the level of engagement and interaction taking place throughout the day between the over 120 participants from organizations such as: ADP, Advisen, Alliance Data, AON, Bank of America, Bank of NC, Blue Cross Blue Shields, Cisco, Carnegie Mellon CERT, Deloitte, Fannie Mae, Fidelity Investments, Honeywell, Key Bank, Marsh, National Mortgage Insurance, PNC Bank, Synchrony Financial, TIAA, Transunion, Walmart and many others.
Resources from the FAIR Conference
If you haven't had the chance to attend the FAIR Conference or want to listen to some of the sessions again, keep an eye on our blog. We will be announcing the posting of resources in the member resources section of the FAIR Institute website over the next several weeks. If you are not a member of the FAIR Institute, consider joining now. Membership is free.