The FAIR Institute hosted its annual FAIR Breakfast in San Francisco in conjunction with the RSA Conference, featuring a panel of experienced FAIR practitioners. Scroll down the page for the videos – watch for a wealth of tips on starting and running a quantitative risk analysis program. (And more videos from the breakfast are in the Link member community Resource Library).
On the panel:
- Steve Reznik, Director of Operational Risk Management, ADP
- Chris Porter, CISO, Fannie Mae
- Jack Freund, Director, Cyber Risk TIAA
- Omar Khawaja, CISO, Highmark Health
The panel was moderated by Jack Jones, Chairman of the FAIR Institute and creator of the FAIR model.
FAIR Institute President Nick Sanna kicked off the event with a rundown of success markers for the organization. Membership expected to hit 5,000 by the end of March; 30% of the Fortune 1000 represented in the membership, heading to 50% by the end of the year; SC Media the night before honoring the Institute at its SC Awards as one of the three “'Most Important Industry Organizations of the Last 30 Years.”
As Nick said, “How many organizations have the power to change the way you think about how you do your daily job, how you look at the world, how you assess the significance of events? That’s what the FAIR model does.”
Some tips from the talks:
1. You don’t need to quantify risk to start getting benefits from FAIR
Steve Reznik said “FAIR can be very beneficial in helping understanding of what risk is, talking about the components and saying ‘let’s get rational.’”
Jack Jones suggested “use the ontology to decompose the conversation about risk – don’t even mention FAIR. After a few conversations you’ll find they begin having conversations on their own that are FAIR-based. Their mental models have been calibrated and that’s a huge step forward.”
Omar Khawaja summed it up: “Our (initial) adoption was not about quantifying risk. It was about language.”
2. Start small and look for quick wins
To introduce FAIR, “look for the quick wins, simple things like security exceptions, purchase decisions, control decisions” that demonstrate the power of the FAIR approach to fulfill an immediate need, Jack Freund said.
Photo left to right: Omar Khawaja, Steve Reznik, Chris Porter, Jack Freund, Jack Jones
Chris Porter had a classic quick-win story: The IT team was resistant to putting the effort into fixing a critical vulnerability in a crown jewel application that was close to retirement. Chris did a quick FAIR estimate showing the range of potential losses if the vulnerability were to be exploited—then asked the IT team if they would accept that risk. “They got it fixed in three days.”
“Our quick win ended up being employee engagement on the security team,” Omar said. Just bringing in FAIR showed the team that there was a thoughtful plan and forward momentum, a morale booster.
For more quick victories, get Jack’s eBook, An Adoption Guide for FAIR.
3. Build support in the organization among stakeholders, executives and partners
Jack Jones and Steve Reznik emphasized the importance of finding an executive sponsor as a key step in FAIR adoption -- “even an hour to show a senior stakeholder the lens through which FAIR views the world and how this is a way to be far more effective as a security operation.” Jack suggested a similar conversation with external auditors, as a support builder. And Chris Porter added that the operational risk team can be a strong supporter, if you can position FAIR as unifying risk management across the organization.
Omar takes a novel approach to FAIR socialization: he pays for out-of-team scholarships for FAIR training from his budget. “Whenever we do FAIR training, at least 15% of the trainees have to be from outside the security team.”
Watch the FAIR Breakfast videos...
The 2019 FAIR Conference is coming up, September 24-25, at National Harbor, MD, near Washington, DC. Learn more.