Watch this video of a session at the recent 2021 FAIR Conference for a systematic way to handle the questions from the Board and C-suite that any CISO should prepare to answer, in the highly likely event that a competitor suffers a cyber loss event.
Dan Garcia, Deputy CISO, Datto
Tyanna Smith, Cyber Risk Manager, Datto
Jack Whitsitt, Sr. Security Engineer, Datto
The presenters from Datto, the services provider to MSPs, are all experienced practitioners and educators for FAIR™ (Factor Analysis of Information Risk) quantitative risk analysis. Jack Whitsitt pioneered the FAIR program at Bank of America and Tyanna Smith was a RiskLens consultant.
One theme that ran through the session was the importance of language: defining the terms around cybersecurity risk that security and business teams could agree on -- and then agree on the business purpose of the risk analysis -- with the help of FAIR’s standardized, quantitative terminology.
Six Questions for a Competitor Cyber Incident Comparison
1. Can something like this happen to us?
Jack: “We built graph models of what happened to them, worked through with our team a graph model with our environment, with the same peer points of likeness and we did a comparison.”
2. Why do we have to worry?
The team took a first look at “control opportunities” -- potential gaps in cyber defenses suggested by working through FAIR concepts (and checking for data from telemetry) such as Contact Frequency, Susceptibility or Loss Magnitude, as suggested by what was known about the competitor’s loss event.
3. How much do we have to worry?
This is where classic FAIR analysis comes in – defining the probable risk scenarios and quantifying the loss exposure they pose in the non-technical, financial terms that business leaders can understand.
4. Do we have too much to worry about?
The question about risk appetite. The Datto team had already done the research work with business management to establish those limits. Jack: “You are talking about all these pieces that turn into what matters to the business.”
5. What can we do?
Take a second look at control opportunities, based on a better-defined idea of where risk lies.
6. Is it enough?
Iterate. “Analysis is a dialogue, and you keep going through it till you have all the answers you want,” Jack said.
You can register now at no charge to view this sessions on video – register here.