At the recent FAIR Conference at Carnegie Mellon University that drew a record turnout from around the world, we heard one message repeated many ways – the movement toward a rational, data-driven, model-based approach to cyber risk (and away from qualitative, guesswork approaches) is growing fast. The consensus among these leading thinkers on cyber risk is that 2019 will play out something like this…
1. 2019 Will Be the Year of the Breach (All Over Again)
Once again, another year will be The Year of the Breach, just as it was in 2018, 2017, 2016… because, regardless of advances in defensive controls, nothing the cybersecurity profession is doing changes our strategic approach to cyber risk. In 2019, it’s a safe bet that we will continue to suffer massive, embarrassing data breaches. Unless we stop doing more of the same, we will suffer more of the same.
Luke Bader is Director, Membership & Programs for the FAIR Institute. Contact Luke.
2. Pressure for Change Will Build in Cyber Risk Management
The good news story of 2019 will be that business leaders and regulators are fed up and demanding an end to the cycle. Their awakening began with the shocking and devastating NotPetya attacks of 2017. Now, pressure is coming down from the top to infosecurity operations to deliver true assessments of cyber loss exposure in financial terms in line with the rest of enterprise risk management– no more cyber-centric metrics like vulnerability or patching counts. And regulators will move as well with more stringent requirements to protect data and asking for more formal, quantitative risk assessments – see the cybersecurity disclosure guidance that came from the SEC in 2018.
3. Cybersecurity Leaders Will Respond to the Pressure
The security profession is getting the message and the signs are already prevalent; check the agenda for the 2019 RSA Conference, with its many sessions on risk or the inclusion of FAIR in the SANS CIS Controls poster as part of the Five Keys for Building a Cybersecurity Program (and that 2019 will see a number of SANS training events all around FAIR). Leading thinkers in the field recognize they can longer fail to provide the most relevant information to decision makers, based on probability of loss in dollars.
4. Industry Vendors Will Respond – with Hype
True to form, solutions vendors will rush to re-brand themselves as the silver bullet to define risk capabilities, muddying the language of risk management and failing to deliver the solutions really needed for a quantified, financially based understanding of cyber risks.
5. The Movement for FAIR and Cyber Risk Quantification Will Show Amazing Growth in 2019
As the international standard for cyber risk quantification, the FAIR Model (Factor Analysis of Information Risk), is “gaining traction,” as the Wall Street Journal recently reported. FAIR was just included in the SANS CIS Controls poster as part of the Five Keys for Building a Cybersecurity Program (and 2019 will see a number of SANS training events all around FAIR). Watch this metric in 2019: membership in the FAIR Institute, up to 4,000 in 2018, could potentially double in 2019, as the move toward rationalizing cyber risk management hits the tipping point.
SEC Cyber Risk Disclosure Guidance, KRIs for Cybersecurity, Risk Trends for Boards – Most Popular FAIR Institute Blog Posts of 2018