RSA has posted on YouTube many of the videos of the presentations at the 2020 RSA Conference, including several by FAIR™ advocates and experts that, if you missed them the first time around, are well worth a watch.
RSAC20 was a banner year for FAIR, with two half-day sessions led by FAIR book co-authors Jack Jones (image, right) and Jack Freund plus consultants from RiskLens who introduced FAIR to an audience of 700, a solo session led by Jack Freund on maturing cyber risk practices, and the annual FAIR Institute Breakfast. You can also watch the breakfast speakers on video, including talks by Chris Porter of Fannie Mae and Mark Tomallo of Ascena Retail.
There’s more to learn from these RSA Conference talks:
Speaking to Executives: Implementing Quantitative Risk in Cyber-Programs
With Emery Csulak (image, right), who is introducing FAIR at the Department of Energy as Chief Information Security Officer (CISO)/Deputy CIO for Cybersecurity and Cody Scott, Chief Cyber Risk Officer, National Aeronautics and Space Administration (NASA), also bringing FAIR to that agency.
Emery gave a strategic view of why he went with FAIR, mostly centered on cultural issues, that financial analysis of cyber risk can remedy: “We’ve spent years trying to teach executives how to talk about IT and we’ve spent almost no time at all trying to teach IT people how to talk like executives.. We want to give tools to the IT executives to have more meaningful conversations.”
His tip on getting started with FAIR and quantitative analysis is to just get started. “We were going to come up with something so solid and well thought-out that we wasted six months. We realized we are not going to get anywhere unless we started doing analysis.” He set a goal of doing one analysis a week, “it doesn’t matter if it’s a big or a small one.”
Cody discussed the roadshow he put on to introduce FAIR at NASA, and how he found a compelling use case to bring the organization along: What’s the risk of a nation state accessing scientific data from the Voyager 2 spacecraft (gathering data on the universe since 1977)? The first reaction from the organization was to “freak out”, Cody said, but with FAIR analysis, he was able to show that the current value of the data was actually low and so was the probability of occurrence, putting the risk in perspective.
Related: See the video of Emery’s appearance on the CISO panel at 2019 FAIR Conference.
What’s in Your Risk Assessment?
The comedy duo of Steve Reznik, Director, Operational Risk Management, ADP, Allison Seidel, Senior Risk Specialist, PNC Bank, gave a funny but thorough introduction to FAIR analysis, complete with an animated flying heat map that kept trying to insert itself into their slides.
Between them, they covered a lot of ground, including
- 4 key questions to ask for a quantitative cyber risk analysis scenario (Where, What, How, How Much and How Much More/Less)
- Where to find data to feed an analysis (Allison got
deeper into that in a FAIR Institute blog post, Shopping for Cyber Loss Data.) - Steve’s concept of “Trade Studies” – how to reality check whether applying a control that might look good in analysis might actually create more damage than it’s worth for the organization.
- Benefits of using FAIR to comply with regulations such as GDPR. Steve led the team to develop the Institute’s Regulatory/Compliance Risk Assessment Overview for FAIR Practitioners, a handy list of the risk assessment requirements from all the major regulations and frameworks.
And they finished with a detailed look at a sample FAIR analysis for the fictitious “Bank of the Isles.”
Measuring Vulnerability Remediation Strategies with Real-World Data
Dr. Wade Baker (image, right), Partner and Co-Founder, Cyentia Institute, and FAIR Institute Advisory Board member, and his Cyentia associate Senior Data Scientist Dr. Benjamin Edwards brought some good news to the seemingly endless struggle with vulnerability remediation: Yes, organizations can remediate all the high risk vulns in their environment – emphasis on “high risk” – if they approach the task with a strategy (and not just blindly following CVSS scores). The talk covers four data-driven measures: coverage, efficiency, velocity and capacity.
