About the Event
Jack Jones and I attended the Cornerstones of Trust Conference in Foster City, CA, on behalf of the FAIR Institute. The conference was attended by 200 plus information risk and security professionals from around the Bay Area. Jack was the afternoon keynote speaker. His presentation, "Just Secure What?," covered the following topics:
- Securing everything isn’t feasible; organizations must prioritize wisely.
- How inconsistent terminology and widely varying mental models hamper the prioritization and communication of the value proposition of security to business leadership to get necessary support.
- Demonstrate challenges faced by the information security profession, and share practical methods for overcoming them by leveraging the FAIR open standard.
Click play on the video to listen to his presentation.
Echoes from the Floor
Prior to Jack's keynote, I had the opportunity to discuss with several audience members about their thoughts on the FAIR model.
Steve Kruse, a senior cyber risk consultant shared: "I was doing risk assessments using NIST 830, as well as OCTAVE and was interested in a different risk assessment methodology," said Kruse. "I'm just hoping to learn more about FAIR to get a richer understanding because what I learned about it was just over the internet and free sources of information."
Jimmy Sanders, the principal organizer of the conference and President of the ISSA Bay Area chapter, said: "My main concern with FAIR is how to integrate it into current security solutions. They may have risk assessments and risk management tasks that they are already doing. How do we complement these risk assessments and management? Are we doing risk right or wrong?"
Upon conclusion of Jack's keynote, I was able to follow-up with Steve and Jimmy to see if their questions were answered.
Steve said, "Regarding the question of 'How much risk reduction we can get?', (after seeing his presentation) I think that Jack can defend his position about being able to quantify risk reduction in an enterprise. I think this is very important."
Jimmy responded with, "Jack showed examples of risk that were very good. As an organizer of this conference, I looked at the members. This was by far one of the best evening presentations we've had. He kept people engaged and made people question what they think a regular risk assessment is. To me, it was a home run. I loved it. I look forward to seeing and finding out more about FAIR.
In addition to Jimmy and Steve, Lydia Ortega, a Professor of Economics at San Jose State University, was interested in how the FAIR model goes beyond IT risk and and extends to operational risk, as well. She said, "I was overwhelmed by the complexity around risk. I had seen a couple of sessions here and I realized that this is a big problem – not just from handling a laptop and the security for that – but for the whole architecture of the business. Jack defined risk to its elemental parts and made it more manageable. I know that once you dig into each of the risk factors – from event frequency to loss magnitude – it gets more complex but you're doing it in a systematic way which makes it more manageable."
Ortega commented also on how the FAIR model could be used as a tool to help economics students in the classroom. "The thing that I loved the most was the he started off with defining the problem: what is risk?. To me, that's key when we're talking about economics. You can't draw a graph unless you define the variables on the axis – and define them well. If they're inaccurate or vague, you'll have problems in your analysis. That's why I think more so than before, that FAIR allows the blending of the economics and the risk disciplines."