Hear John Carlin, chair of the global risk and crisis management practice at Morrison & Foerster and formerly in charge of the cyber security division at the US Department of Justice, speak about a transformative experience that cyber risk quantification brought about in two government organizations.
John addressed FAIR Institute members on February 15, during the RSA Conference 2017. In the video recording of the session, he vividly describes how a reactive law-enforcement organization, whose mission was to hold perpetrators of terrorist acts accountable, transformed itself into an intelligence agency whose responsibility was to see where acts of terror might occur and prevent them from happening. In that process, they had to figure out how to garner support from their oversight committees and justify the need to re-allocate resources to certain operations. That led to a project to quantify risk.
They discovered lots of value in helping field officers who were not risk professionals respond to questions in a structured fashion about what the risk was in their domain. But most importantly, he concludes, "based on my experience, it is not even the resulting number that matters the most. It's the conversation it engenders, that allows a board, a general counsel, a business executive, to think in a very structured frame about what the risk is, so that the business side of the house can support you in identifying where resources need to go."