You may think of FAIR™ quantitative cyber risk analysis as narrowly focused on the technical side of cybersecurity but watch this short video of Christopher Porter, CISO at Fannie Mae and member of the FAIR Institute Advisory Board to learn how FAIR enables CISOs to think more broadly about risk. Chris spoke at the annual FAIR Institute breakfast during the 2020 RSA Conference.
As Chris says, “cyber risk is business risk” and CISOs need to “understand how your business makes money.” FAIR analysis requires a focus on loss in dollar terms, which can uncover surprising ways to reduce risk.
Chris presented three wins from Fannie Mae’s FAIR program:
- While gathering data to understand Secondary Loss for FAIR analysis of breach scenarios, the team discovered that the organization was in a “really bad” contract for credit monitoring services. Fannie Mae renegotiated, with a major cost savings.
- Chris’s team was able to save the organization significantly by right-sizing cyber insurance coverage, based on quantitative analysis of annual loss expectancies and tail risk.
- Fannie Mae met and exceeded regulatory and compliance obligations with FAIR analyses. “It’s not just doing certain actions, you have to prove to those regulatory bodies that you are doing what you say you are doing…And then they get off your back—that’s what all CISOs want…Then you can do the real jobs of leveraging your program, reducing risk across the organization.”