FAIR Institute Breakfast Meeting during RSAC™ 2025 Conference

At our annual breakfast meeting, we had an all-star executive panel that showcased how FAIR™ programs are revolutionizing their cyber risk business decisions by providing clear bottom-line impact analysis and cost-effectiveness metrics. By watching this session, you will: - Gain deep insights into emerging best practices for business-centric cyber risk management - Learn about cutting-edge tools and solutions - Hear directly from leading FAIR™ implementers The Member Executive Panel was comprised of Mark Tomallo, CISO, Victoria's Secret; Jonathan "JT" Taylor, Deputy CISO, UC Davis; Michelle Griffith, VP, GRC, IHG Hotels; Alexander Antukh, CISO, Aboitiz Power; and moderated by Bernadette Dunn, Head of Education, FAIR Institute.

Zero Trust in CRQ? Or CRQ in Zero Trust? - Sponsored by Ostrich Cyber-Risk

Implementing Zero Trust requires whole-organization support and commitment, from top-level management through to individual practitioners and analysts. A Zero Trust transformation necessitates changes to people, processes, and technology to embrace an asset- and data-centric approach to security. This shift to organizational culture and strategy is an ideal time to also transform risk management and analysis processes, moving away from purely qualitative assessments to more quantitative analyses focused on the assets that matter for business success. Join this webinar to learn more about where cyber risk quantification (CRQ) can be integrated into a broader Zero Trust transformation and the value that adding CRQ provides to having business conversations. Security should enable business, not hinder it, and combining CRQ techniques with a Zero Trust approach provides a streamlined way for this to occur. Sponsored by Ostrich Cyber-Risk.

FAIR-MAM™: Your (Not-So) Secret Tool to Build Defensible Resiliency

Join us for an insightful webinar on the FAIR Materiality Assessment Model (FAIR-MAM) and discover how it transforms cyber risk management and enables communicating cyber risk into the business language. In this session, we’ll guide you through three key steps to kickstart your FAIR-MAM™ journey, ensuring your assessments are defensible and aligned with business objectives. You'll see real-world examples of how organizations, like Richemont, have used FAIR-MAM to: Strengthen defensibility Enhance risk communication Support strategic decision-making This webinar is designed for CISOs, Risk Leaders, and Analysts who looking to bridge the gap between cyber risk and financial impact. Learn how to effectively communicate materiality in business terms and take your risk management to the next level.

FAIR Taxonomy for Cyber Risk Scenarios- An Analyst’s Guide for Defining Risk Scenarios for Continuous Risk Management

Join us as we introduce the FAIR Taxonomy for Cyber Risk Scenarios: An Analyst's Guide for Defining Risk Scenarios for Continuous Risk Management. This groundbreaking resource that addresses one of the most challenging aspects of cyber risk management: creating clear, consistent, and actionable risk scenarios. In this webinar, we'll explore how this standardized taxonomy enables organizations to overcome common challenges in cyber risk definition, including vague risk statements, overloaded risk registers, and inconsistent terminology. By implementing a structured approach aligned with industry best practices, security teams can more effectively quantify, prioritize, and manage their cyber risks. Our presentation will cover: The refined cyber risk taxonomy with clearly defined categories for threats, assets, methods, and effects How the updated risk scenario framework aligns with modern threat landscapes The expanded list of effects based on the FAIR Materiality Assessment Model (FAIR-MAM™) Practical examples demonstrating how to apply the taxonomy in real-world scenarios We invite you to participate and provide feedback.

Using FAIR to Be Compliant on ISO/IEC 27001

ISO/IEC 27001 is the globally recognized standard for information security management. It guides organizations in establishing, implementing, and improving an Information Security Management System (ISMS). For organizations seeking to safeguard sensitive data, meet regulatory or contractual compliance standards, and build trust with stakeholders, achieving ISO 27001-2022 certification is often a mandatory milestone. However, many organizations face challenges in interpreting ISO 27001's requirements, integrating it with other frameworks, and maintaining ongoing compliance. The FAIR Cyber Risk Management Framework (FAIR-CRMF) is a powerful tool to address these challenges. The FAIR-CRMF provides a structured, quantitative approach to risk management based on the FAIR standard, enabling enterprises to implement ISO 27001 efficiently while aligning their security strategies with business objectives.

How to Use FAIR to Mature Your Cyber Risk Management Program with NIST CSF 2.0

This white paper is a guide to a practical, advanced approach to building a Cybersecurity Risk Management Program (CRMP), emphasizing integration with the NIST CSF 2.0. It leverages the CSF’s Govern function as the structural foundation for defining, measuring, and maturing cybersecurity risk governance to create actionable steps for bridging technical execution with strategic decision-making. WHAT: A CRMP establishes a structured, risk-driven framework that systematically identifies, assesses, mitigates, and monitors cybersecurity risks, integrating with organizational objectives and regulatory requirements to provide a repeatable process for safeguarding critical systems and data. WHY: A strong CRMP is essential for defending against cyber threats, ensuring business continuity, and meeting regulatory requirements like NIST CSF, ISO 27001, GDPR, and PCI-DSS. It provides a structured approach to risk management, aligning security efforts with business goals while preventing financial and reputational damage. WHO: Stakeholders in the CRMP include executives and board members, as well as IT, legal, cyber, and business function or operational teams, all of whom rely on the program’s outputs to align security efforts with their related roles in governance, finance, technical execution, and regulatory adherence. WHERE: Within an organization, the CRMP operates through the Governance, Risk, and Compliance (GRC) function, supported by risk analysts and operational teams, embedding risk management practices into daily processes and strategic planning across all departments. HOW: Leveraging the CSF’s Govern function, this guide defines implementation tiers that guide organizations in assessing their current governance maturity, establishing risk management policies and enhancing program effectiveness through a structured, scalable roadmap tailored to the organization’s unique risk profile.. WHEN: The CRMP is a continuous, ongoing process rather than a point-in-time exercise; it incorporates real-time threat monitoring, period risk assessments, and iterative improvements to address dynamic cybersecurity threats and organizational changes effectively. Shift Right: By integrating the Factor Analysis of Information Risk (FAIR) model, the CRMP advances to a more data-driven and forward-looking approach, allowing for quantification of risk in financial terms and providing an avenue for precise, predictive decision-making designed to optimize outcomes. This guide assumes familiarity with the overall NIST cybersecurity methodology and aims to equip organizations with actionable insights to develop, refine, and sustain an effective cyber risk governance strategy.

FAIR Cyber Risk Scenario Taxonomy (An Analyst's Guide)

Cyber Risk Scenario Taxonomy and Guide (February 2025)

Dismantle The Three Lines Of Defense: The Forrester Continuous Risk Management Model

Join us for a new and illuminating webinar exploring Forrester's groundbreaking report that challenges traditional enterprise risk management paradigms. As organizations face increasingly complex and interconnected risks, the conventional Three Lines of Defense model has become outdated and inefficient. Whether you're a CISO, CIO, GRC Leader, or risk management professional, this webinar will provide valuable insights into the future of enterprise risk management and concrete steps to strengthen your organization's risk posture. In this session, we'll examine Forrester's innovative Continuous Risk Management model, which proposes a more dynamic and integrated approach to managing risk across the enterprise. Learn the benefits of breaking down silos between risk, compliance, and audit functions to create a more responsive and effective risk management framework. Key topics include: Why the Three Lines of Defense model is no longer sufficient for today's risk landscape The core principles of Continuous Risk Management and how it transforms organizational resilience Practical strategies for transitioning from siloed defense lines to an continuous risk management approach

A FAIR Framework for Effective Cyber Risk Management

Cybersecurity leaders face an increasingly complex risk landscape where the stakes—financial, operational, and regulatory—continue to climb. The FAIR Institute’s latest white paper, Integrating FAIR Models for Cyber Risk Management, written by Pankaj Goyal and me, provides an invaluable blueprint for addressing these challenges. By detailing the integration of the FAIR Model, FAIR Controls Analytics Model (FAIR-CAM), and FAIR Materiality Assessment Model (FAIR-MAM), this paper illustrates a robust framework that quantifies cyber risk in financial terms while aligning security practices with business objectives. This paper was developed to bridge a gap in how organizations quantify and manage cyber risks. Many existing approaches to cybersecurity focus on improving controls (mitigating vulnerabilities) without a clear understanding of the broader impact on business operations or compliance mandates. Furthermore, the 2023 SEC Cybersecurity Disclosure Rule has heightened the need for transparent, standardized methods for reporting material risks and estimating potential losses. By weaving together three interrelated FAIR standards, this paper sets out to empower Chief Information Security Officers (CISOs), cyber risk leaders, and other stakeholders to: quantify risk in terms of probable financial loss, taking into account control effectiveness and its direct impact on risk factors; evaluate materiality with a structured, defensible approach to loss estimation; and align risk management efforts, especially investments to improve controls, with business priorities and regulatory compliance. For CISOs and cyber risk management leaders, this white paper addresses how to: Bridge the Cyber-Business Gap: By quantifying risk in financial terms, the integrated FAIR models enable leaders to communicate risk in a language the board and executives understand—dollars and cents. Optimize Control Effectiveness: FAIR-CAM offers a structured methodology for understanding how controls interact as a system, allowing organizations to invest strategically in the most impactful controls. Meet Regulatory Demands: With the SEC’s requirement to disclose “material” risks, FAIR-MAM provides the granularity and rigor needed to develop accurate and defensible loss estimates for reporting. Enhance Decision-Making: By integrating these models into a Cyber Risk Management System (CRMS), organizations gain real-time insights (situational awareness), enabling better prioritization and resource allocation. Our paper addresses the following key topics: The FAIR Model: Foundation for Risk Quantification At its core, the FAIR Model decomposes risk into Loss Event Frequency and Loss Magnitude, providing a clear structure for estimating annualized loss exposure (ALE). By integrating threat intelligence and vulnerability data, FAIR enables dynamic, continuous risk monitoring. FAIR-CAM: A “Controls Physiology” Approach FAIR-CAM expands on the FAIR Model by categorizing controls into three domains — Loss Event Controls (reduce loss frequency or magnitude), Variance Management Controls (ensure control reliability), and Decision Support Controls (align decisions with organizational objectives). This systemic perspective highlights interdependencies between controls, ensuring a more reliable measurement of their effectiveness. FAIR-MAM: Granular Loss Magnitude Analysis FAIR-MAM addresses the challenge of quantifying the financial impact of cyber incidents. By breaking down losses into 10 modules and 26 categories, it enables analysts to provide more precise, defensible estimates. This is particularly valuable for meeting regulatory reporting requirements like those outlined by the SEC. Role of the Cyber Risk Management System (CRMS) A CRMS operationalizes these FAIR standards by centralizing data, automating analyses, and enabling real-time monitoring. It provides a unified platform for integrating risk quantification, control evaluation, and loss analysis, ensuring decisions are both data-driven and aligned with business goals. Conclusion This white paper serves as an essential guide for organizations seeking to implement cyber risk management at scale using FAIR. By integrating the FAIR Model, FAIR-CAM, and FAIR-MAM, organizations can shift from reactive, siloed security measures to proactive, aligned risk management strategies. For cyber risk leaders navigating an increasingly complex threat landscape, this framework offers not just a roadmap but a competitive advantage—demonstrating resilience, transparency, and strategic alignment in the face of growing cyber challenges.

Keynote Conversation: Securing the Nation In Conversation with US Cyber Leaders

I am very honored to present our Day 2 Keynote Session this morning, with two of the United States’ top cyber officials. Having this event in DC provides us with a unique experience to get a Federal Cybersecurity Perspective and to hear from leaders at CISA, DHS, and others about how quantification can help protect our national infrastructure. Please join me in welcoming our esteemed Keynote speakers today: • Iranga Kahangama, Assistant Secretary for Cyber, Infrastructure, Risk, and Resilience, US Department of Homeland Security • Jeff Greene, Acting Executive Assistant Director for Cybersecurity, CISA • And Moderator: Nick Sanna, Founder, FAIR Institute

Why Things can go from Bad to "BOOM" Pretty Quickly

First we start with a CISO panel, “Why Things can go from Bad to "BOOM" Pretty Quickly.” A common paradox in security is that successful prevention breeds complacency. Significant investments in security often lead to reduced incidents, which can inadvertently create the perception that security measures are unnecessary. This can result in budget cuts, deferred upgrades, and neglect of emerging threats. Over time, this decline in security posture increases the likelihood of a catastrophic breach or a gradual erosion of defenses. This panel will discuss what we can do to put in place the counter forces to sustain security. Reminder to please use the QR code in your program to submit question virtually throughout the session. Welcome our panelists today: • Erik Decker, CISO, Intermountain Health • Brian Kelly, CISO, American Airlines • David Neuman, Senior Analyst, TAG Cyber • Wendi Whitmore, Head of Unit 42 Threat Intelligence, Palo Alto Networks • And moderator: Brandon Pinzon, CISO and Risk Executive

Quantifying Cyber Losses Like an Insurer and CFO Would

First we start with a very practical session, “Quantifying Cyber Losses Like an Insurer and CFO Would.” This session will highlight materiality and FAIR-MAM™ and will focus on the how practitioners can focus on the financial side, the magnitude side, of the FAIR model. Welcome our panelists: Robert Immella, Global CRQ Lead, Fortune 1000 Company Monica Tigleanu, Cyber Strategy Leader, BMS Group Erica Eager, Sr. Director Risk Quantification, Safe Security And moderator: Jack Jones, Chairman Emeritus, FAIR Institute

Unlocking Regulatory Alignment Harnessing FAIR Standards for Effective Dialogues with Regulators

First we start with a CISO and Board panel, “Unlocking Regulatory Alignment: Harnessing FAIR Standards for Effective Dialogues with Regulators.” Welcome our panelists today: Christopher Porter, CISO, Fannie Mae James Lam, Board Director, Blackrock iShares And moderator: Neila Zerguini, Partner, Deloitte Canada

Accelerating AI Achieving the Right Balance Between Speed and Security

This is the General Track, and we are going to begin our next panel “Accelerating AI: Achieving the Right Balance Between Speed and Security.” AI and its associated risks have really taken the world by storm. Now, our expert panel of experts shares their experience and thoughts about GenAI. Reminder to please use the QR code in your program to submit question virtually throughout the session. Welcome to our panelists: • Randy Herold, CISO, ManpowerGroup • Michelle Griffith, VP, Security GRC, IHG • Oki Mek, CISO, U.S. Federal Civilian Government, Microsoft • Chip Block, VP/Chief Solutions Architect, Evolver, CEO/Chief Technologist, Kiwi Futures • And moderator: Pankaj Goyal, Director, Research and Standards, FAIR Institute

5 Techniques for Elevating Security Leaders to True CISOs How to Transition from Security to Trust

This is the Executive Track, and we are going to begin our next panel “5 Techniques for Elevating Security Leaders to True CISOs: How to Transition from Security to Trust.” Welcome to our speaker, FAIR Institute Board of Directors Member and CISO at Databricks, Omar Khawaja.

Getting Started with FAIR™

This is the Practitioner Track, and we are going to begin our next use case panorama “Getting Started with FAIR™.” As we always have new members joining and folks attending for the first time, this session is so important. And today we have amazing presenters ready to share their stories and tips with you on what a successful program looks like as it gets started. Welcome to our speakers: Rob Moore, VP, Technology Risk Management, Mastercard Tony Martin-Vegue, Technology Risk Management, Netflix AJ Anand, Director, Transformation and Continuous Improvement, Global Security, ADP

Fireside Chat: Connecting Data Risk to Enterprise Risk A Business Centric Approach with Bipul Sinha

We are excited and fortunate to have a special fireside chat today on “Connecting Data Risk to Enterprise Risk: A Business-Centric Approach” with Bipul Sinha, the CEO of Rubrik in conversation with Saket Modi, CEO, Safe Security.

Fireside Chat with Jack Jones, Author of FAIR™ and FAIR CAM™

I am excited to begin our afternoon sessions with a special discussion with Jack Jones, Chairman Emeritus, FAIR Institute; Author of FAIR™, FAIR-CAM™ on the history of the FAIR model and the future of CRQ. Please welcome Jack and Todd Tucker, Managing Director of the FAIR Institute!

Navigating the Complexities of Assessing and Managing AI Risk

I am excited to begin our afternoon sessions with a special discussion with the AI Workgroup of the FAIR Institute on “Navigating the Complexities of Assessing and Managing AI Risk” Please welcome Arun Pamulapati, Sr. Staff Field Engineer, Databricks Jacqueline Lebo, Risk Advisory Manager, Safe Security Omar Khawaja, CISO, Databricks

ATT&CKing Cyber Risk Quantification

I am excited to begin our afternoon sessions with a special discussion on “ATT&CKing Cyber Risk Quantification” and we really have the experts in the room with us today! Please welcome Wade Baker, PhD, Partner, Cyentia Institute Jon Baker, Director & Co-Founder, Center for Threat-Informed Defense, MITRE Engenuity Vidit Baxi, CISO, Safe Security

What Does Effective Cyber Risk Reporting and Board Oversight Look Like?

Hello and welcome all to this panel on the ever-important topic “What Does Effective Cyber Risk Reporting and Board Oversight Look like?”. Allow me to introduce our panelists: Suja Chandrasekaran, Global, Operations, Digital, Technology and Business Transformation Chief Executive and Board Member Amir St. Clair, AVP, Enterprise Risk Management, Advocate Health And moderator: Larry Clinton, President, Internet Security Alliance

Developing Agile Risk Management Capability by Building your Human Firewall

Presenting the session on the ever-important topic “Beyond Cyber Security – Developing agile risk management capability by building your human firewall” with Dr Gavriel (Gav) Schneider, Group CEO & Principal Consultant, Risk 2 Solution Group. In today’s hyper-connected and rapidly evolving digital landscape, traditional cyber security measures alone are insufficient to protect organizations from the myriad of threats they face. This session will explore the critical role of human elements in creating a robust and adaptive risk management framework.

Building an Enterprise Risk Ownership Model that Works: Quant Risk Ownership and Acceptability

Welcome to another incredible case study presentation with the DropBox team titled “Building an Enterprise Risk Ownership Model that Actually Works: Quant Risk Ownership and Acceptability.” This talk is going to focus on practical examples of implementation and the impacts of evolving to this new risk ownership model at both lower and executive levels of an organization. Welcome to the stage Tyler Britton, Principal Security Engineer at Dropbox.

Closing Remarks: Where is CRQ Going?

We look to close out FAIRCON24 with a summary of our time and sessions here and with a look towards the future of the risk management industry. Here to provide that context is our Closing Remarks speaker, Cody Scott, Senior Analyst for Security & Risk at Forrester.

Strategies for Optimizing Cyber Insurance and Mitigating Risk

We have the final breakout panel now before our last plenary sessions. This session is titled “Strategies for Optimizing Cyber Insurance and Mitigating Risk” and will include a very important talk on the growing role of cyber insurance in the field. Let me invite up to the stage our participants: Mark Wheeler, Co-Founder & Co-CEO, Mosaic Insurance Meghan Hannes, Chief Underwriting & Claims Officer, K2 Insurance Gerry Glombicki, Head of Cyber Security Common Interest Group, Fitch Ratings And moderator: Steven Schwartz, VP, Insurance Strategy & Underwriting, Safe Security

Unlocking Cyber Resilience Executing the Govern Function in the NIST Cybersecurity Framework

This session is titled “Unlocking Cyber Resilience: Executing the Govern Function in the NIST Cybersecurity Framework” and will include a very important about one of our industry’s most well-known frameworks. Let me invite up to the stage our participants: Amy Mahn, International Policy Specialist, NIST Kelly Volz, Managing Director, Cybersecurity Financial Services, EY Heather Dart, Sr. Mgr Information Risk Management, Danaher And moderator: Vince Dasta, Risk Advisor, Safe Security

Risk at the Speed of Business Delivering Risk Management as a Service

This session is titled “Risk at the Speed of Business: Delivering Risk Management as a Service” and is a case study with Zach Cossairt, Integrated Risk Program Senior Manager, Governance Risk & Compliance at Equinix. The use case will focus on one business line at Equinix that is now successfully operationalizing the risk team’s service portfolio to improve the pace and quality of their decision making.

FAIRCON24 Welcome Address

This year at FAIRCON24, more than 60 CISOs, CIOs, board members and cyber risk leaders, all of you here in this room today, will present on, discuss, engage, and share on key topics facing our industry such as third-party risk management, cyber reporting for the board, automating and scaling your program, and emerging risk areas such as AI. Conference attendees will discover a more modern approach to cyber risk management built on the FAIR cyber risk quantification model and including essential program elements, process automation, data visualization and analytics, and GenAI. Together discover new technologies, learn about growing FAIR standards, and expand our networks! Now without further ado, it’s time to get FAIRCON24 kicked off! It is my pleasure to introduce Nick Sanna, Founder of the FAIR Institute. Nick founded the FAIR Institute in 2016 as an expert non-profit organization due to a growing demand from an expanding FAIR community. The idea was to create a forum for learning about FAIR, for developing and sharing innovative best practices, and to serve as a platform and for networking with peers.

Fireside Chat with John Chambers and Saket Modi

Fireside Chat with John Chambers, Fmr CEO and Chairman Emeritus at Cisco and Saket Modi, CEO at Safe Security.

Establishing the CISO as an Indispensable Business Partner

The next session “Establishing the CISO as an Indispensable Business Partner” is packed with experts. The role of the CISO has transformed from a technical steward to a strategic business partner. This discussion will explore a pivotal shift in the perception and responsibilities of the CISO within organizations. The speakers will share case studies and their insights on strategies and best practices that enable CISOs to effectively align Cybersecurity initiatives with overarching business goals. Moderated by Robert Rodriquez, Chairman and Founder of SINET, please help me welcome our esteemed panelists: Michael Johnson, CISO, Meta Financial Tony Parrillo, VP Global Head of Cybersecurity, Enterprise IT, Schneider Electric Bethany De Lude, CISO, The Carlyle Group Susan Chiang, CISO, Headway

Do We Need Cyber Expertise at the Board Level?

Welcome all, please allow me to introduce our next session “Do We Need Cyber Expertise at the Board Level?” This is an ever important question and in this session, Board Members will speak directly to executives to provide tips on what they expect from the C-Suite. Moderated by Yvette Kanouff, Board Member: SAIC, Amdocs, Entegris, Sprinklr, let me introduce our panelists: Michael Coden, Senior Advisor, BCG Brad Strock, Fmr CIO, PayPal Mike Gade, Senior Advisor, BCG

Empowering Business Decisions through CRQ Insights from the Practitioner's Perspective

Please allow me to introduce our next session “Empowering Business Decisions through CRQ: Insights from the Practitioner's Perspective” Today, leading practitioners in (CRQ) will outline how they have successfully used FAIR to architect CRQ programs that enable better business decisions. Our panelists will delve into their first-hand experiences, spotlighting how these data-driven approaches have shaped critical business strategies and yielded tangible outcomes. Welcome our panelists: Grace Gair, Director, Technology Risk Management, Capital One Luis Valenzuela, Director, Data Governance and Data Loss Prevention, InComm Payments Zach Kacprowicz, Senior Advisor, Cyber Risk Management, Cigna And moderator, Daniel Stone, Director, Security & Privacy, Protiviti

CISO Liability How Not to Get Singled Out in an Evolving Regulatory Environment

We begin this track with a really important panel “CISO Liability: How Not to Get Singled Out in an Evolving Regulatory Environment.” Our panelists will be discussing our world a year after the SEC disclosure rules were announced and went into effect last year. Reminder to please use the QR code in your program and follow the instructions to submit questions virtually throughout the session. Welcome to our panelists: • David Hirsch, Partner, McGuireWoods LLP; Fmr. Chief, Crypto Asset and Cyber Unit in the Division of Enforcement, SEC • Mark Tomallo, CISO, Victoria's Secret • John Winter, Chief Legal Officer and Counsel, LLA • Kaitlin Betancourt, Partner, Data, Privacy & Cybersecurity, Goodwin Law • And moderator: Nick Sanna, Founder, FAIR Institute

State of the Third-Party Risk Management (TPRM) Market

In this session, you will hear from Alla Valente, Senior Research Analyst, Forrester and Cody Scott, Senior Analyst, Security & Risk, Forrester on their research in third party risk management. This is going to be an engaging session with time for questions as well. Please keep the questions coming by using the QR code in the program.

Orchestrating Cyber Resilience Across First and Third Party Risk

On our panel on “Orchestrating Cyber Resilience Across First and Third Party Risk,” we will hear from many people with different perspectives on their work bridging the first and third party gap and on recent high-profile events such as Change Healthcare, CrowdStrike. Reminder to please use the QR code in your program and follow the instructions to submit questions virtually throughout the session. Welcome to our panelists: • Kris Lovejoy, Board Member, Dominion Energy; Global Security and Resilience Practice Leader, Kyndryl • Michael Sechrist, Executive Director for Threat and Risk Management, athenahealth • Drew Simonis, CISO, Juniper Networks • Juanita Bates, Director Cybersecurity Governance Risk & Compliance, Jefferson Health • Moderator: Pengfei Wang, Cybersecurity Risk Management & GRC Leader, EY

More than cheese: FAIR Third Party Analytics Model, secret for a perfect pizza

In this presentation, the presenters will walk through the pizza delivery use case to illustrate how FAIR-TAM (FAIR Third Party Assessment Model) is used to automate and integrate third-party risk management. FAIR-TAM enables these businesses to survive and grow in this increasingly competitive GenAI-enabled business environment. This use case shows why risk leaders must elevate their focus from individual controls to the “control physiology” paradigm described under FAIR Control FAIR Controls Analytics Model™ (FAIR-CAM™). Please welcome our speakers: Denny Wan, Chair, Reasonable Security Institute Andrew Shea, Founder, CRFQ Pankaj Goyal, Director, Research and Standards, FAIR Institute

Developing an Effective Cyber Risk Management Program in Today's Digital Landscape

In an age where digital transformation accelerates and regulatory bodies increasingly emphasize oversight, crafting a robust cyber risk management program (CRMP) becomes crucial. This presentation delves into the intricacies of establishing a comprehensive CRMP, leveraging insights from authoritative sources such as the SEC, NIST, and NACD. It highlights the pivotal role of board members and executive leadership and offers practical strategies for CRMP implementation, guided by a cross-industry framework that encompasses four foundational components and 23 guiding principles. Welcome to the stage our speakers, Brian Allen, SVP, Emerging Technology Risk Management for BITS, Bank Policy Institute; Fmr. CSO, Time Warner Cable and Brandon Bapst, Cyber Risk Advisor, EY!

Embracing a True Risk Based Approach to TPRM

Welcome back, time for our next session in the practitioner track. Another amazing case study use case session by GSK. Focused again on their work with thirdy party risk management. Join me in welcoming Meena Martin, VP, Cyber Risk and Assurance, GSK and Pankaj Goyal, Director, Research and Standards, FAIR Institute.

Integrating Cyber Into ERM

Our last session is a super important one that advances even more on the theme of building a fully mature risk program, “Integrating Cyber Into ERM.” Our panel members today are: • John Sapp, VP, Information Security & CISO, Texas Mutual Insurance Company • James Lam, Board Director, Blackrock iShares • Stan Dore, Fmr. CRO, FHLB • Paul Zikmund, CISO, Berkadia • Aneesh Bhatnagar, Head of Risk Products, Servicenow • And moderator: Evan Wheeler, Sr. Director, Tech Risk Mgt, Capital One

Keep Quantifying or Else

Our last session in the practitioner track today is presented by Pierre Olodo, Senior Lead Cyber Risk, Richemont International SA. Pierre will present how they started their cyber risk quantification journey with specific use cases (both technology and business oriented). These use cases were then presented to leadership, who are now requiring more and more cyber risk quantification, hence the need for us to increase the pace in handling and delivering cyber risk quantification.

From Legacy to Leading Edge: Harmonizing Risk Assessment Approaches – Sponsored Webinar with Ostrich Cyber-Risk

Risk assessments must evolve, but making that transition without disrupting consistency is the real challenge. How can organizations modernize their approach while ensuring alignment and clarity? In this session, subject matter experts John Feezell and Penny Longman, along with moderator Adam Lamantia from Ostrich Cyber Risk, will explore how to modernize risk assessments while maintaining consistency and alignment with business priorities. The discussion will cover key external and internal data sources, the trade-offs between in-house assessments and external expertise, and best practices for ensuring risk assessments drive meaningful, actionable decisions. Key Takeaways: How to transition from legacy risk assessments while maintaining consistency The most impactful external and internal data sources for risk assessments Balancing depth and efficiency in control posture evaluations When to assess in-house vs. bring in external expertise Communicating risk insights effectively across different audiences Sponsored by Ostrich Cyber-Risk.

IT Security Controls Prioritization Using FAIR-CAM™ - Sponsored by C-Risk (Webinar)

Join our upcoming webinar IT Security Controls Prioritization Using FAIR-CAM™, hosted by C-Risk Co-founder Tom Callaghan, Jack Jones, Chairman Emeritus of the FAIR Institute, and Rob Moore, VP of Technology Risk at Mastercard. The recent extension to the FAIR™ model, FAIR-CAM™, provides data-driven insights into controls efficacy and measures the risk reduction of control improvements in the context of specific risk scenarios. FAIR-CAM™ takes a physiological approach to understanding control functions—an area often only superficially addressed by traditional cybersecurity frameworks. This model offers a deeper understanding of the key dependencies between controls and provides a clear measure of control efficacy. In this one-hour webinar, you’ll learn how to leverage FAIR-CAM™ to enhance control prioritization and take actionable steps to reduce the likelihood and impact of threat events.

Assessing & Quantifying Enterprise GenAI Risk – Sponsored Webinar with Ostrich Cyber-Risk

The rapid rise of generative AI has created new opportunities for the enterprise while also introducing new risk issues that must be measured, prioritized and addressed. New tech, advanced models enabling innovative business applications result in unique risk scenarios and mitigation options that may challenge the cyber focused risk analyst. What approach should be used? How can the FAIR risk analyst decompose the problem and deliver credible, defensible guidance? This session will examine how to apply the FAIR-AIR Approach Playbook created by the FAIR Institute to quantify AI risk in financial terms allowing stakeholders to make rational business decisions (cost-benefit) on risk treatment options. Key Takeaways: Help you identify your AI loss exposure and enable risk-based decisions Insure proper data and alignment for scenarios and use cases Know how to meet the business needs and enable AI deployment Sponsored by Ostrich Cyber-Risk.

From Controls to Clarity: Simplifying FAIR using the NIST CSF – Sponsored Webinar with Ostrich Cyber-Risk

Adopting the Factor Analysis of Information Risk (FAIR™) methodology and scaling its value can be challenging, especially for early adopters. Identifying and effectively using data on the strength of individual controls within your organization can be particularly difficult. Many organizations already align their programs with leading practices using the NIST Cybersecurity Framework or similar security frameworks. However, these assessments often fall short in guiding the prioritization of cybersecurity budgets and roadmaps. Join experts from Ostrich Cyber Risk and Protiviti as they demonstrate the significant advantages of combining risk quantification with cybersecurity framework assessments to maximize your cybersecurity strategy. Sponsored by Ostrich Cyber-Risk.

How GSK is Building A Next Generation TPRM Program and Tooling - Sponsored by Safe Security

The cybersecurity landscape is constantly evolving with new threats and traditional TPRM methods are not suited to handle emerging risks such as cyber threats, data breaches, and supply chain disruptions. Join Marek Jakubczak, Cyber Risk Leader at GSK and Ram Vemula Product Management, Head of Partnerships at Safe Security to hear about the current state of TPRM and how a large company is changing the game. Lets review the shortcomings and limitations of current approaches and how to build next generation TPRM processes and tools that will help your organization stay resilient, keep pace with the dynamic risk environment, improve operational efficiency, and protect the organization from potential threats associated with third-party relationships. We will also talk about how we can effectively partner with third-parties in managing risk and give them the tools necessary to burn down risk.

NIST CSF Effectiveness: Controls & Quantification – Sponsored Webinar with Ostrich Cyber-Risk

In this webinar, Greg Spicer, Co-Founder and CRO of Ostrich Cyber Risk, along with Kevin Gelsthorpe and John Feezell of Kyndryl, will dive into the intricacies of identifying your biggest cyber risks using NIST Cybersecurity Framework (NIST CSF). We then will explore how to determine which controls most effectively mitigate these risks and how to quantify their effectiveness in financial terms, and influence decisions with stakeholders in your business. Sponsored by Ostrich Cyber-Risk.

FAIR-CAM Controls Library

The FAIR Institute, with the assistance of technical adviser Safe Security, is creating a draft Cybersecurity Controls Library, informed by FAIR-CAM, the FAIR Controls Analytics Model. Now, we are inviting the FAIR community to support this project to develop a highly useful resource for FAIR practitioners looking to assess their controls based on FAIR-CAM. The Controls Library categorizes controls according to their functions as described by FAIR-CAM, and each with an extensive description of how they operate and their value in a cyber risk management program.

FAIR Standards Booklet

A new and complete guide to the FAIR model and standard extensions, FAIR-CAM, FAIR-MAM, FAIR-TAM, FAIR AIR, and FAIR Automation. 

RSAC24 Seminar: Mastering Cybersecurity Risk with FAIR: An Introduction and Case Study

Join the FAIR Institute for a two-part seminar that will demystify the world of FAIR™ (Factor Analysis of Information Risk). In the first session, we'll provide an in-depth introduction to FAIR™, equipping you with the knowledge needed to tackle cyber risk effectively. In the second session, we'll dive into a compelling case study that showcases the practical application of FAIR™ principles.

FAIR Model in Traditional Chinese

FAIR Model in Traditional Chinese

The Future of AI Risk Management: A Deep Dive with the FAIR Institute AI Workgroup

Join the FAIR Institute AI Workgroup as we navigate the evolving world of AI risks. We'll introduce the workgroup, its members, and exciting 2024/25 initiatives. In this webinar, the Workgroup members will share their insights on: Building trust in the age of AI Navigating recent hot-button topics like illegal AI robocalls, a use case with Rite Aid, and the EU Act Mitigating model development risks and ensuring materiality We will learn how to navigate these complexities and build trustworthy AI for your organization.

Financial Impact Questionnaire (FIQ) - Customize FAIR-MAM for Your Most Accurate Cyber Loss Data

The FAIR Institute introduced in 2023 the FAIR Materiality Assessment Model (FAIR-MAM ™) a step change in quantifying loss magnitude for FAIR cyber risk analysis. FAIR-MAM enabled analysts to gather loss data at a granular level that ensured a high level of accuracy – and store it in an always available repository, ready for reporting out the impact of a data breach or other loss event in a defensible format that could stand up to scrutiny by regulators. We’re now introducing a tool to help further sharpen loss data for analysis: the Financial Impact Questionnaire (FIQ).

Managing Cyber Risk in a Time of New Incident Disclosure Rules Welcome Address

Without further ado, please join me in welcoming our esteemed keynote speaker, Nick Sanna, Founder of the FAIR Institute. Speaking today on “Managing Cyber Risk in a Time of New Incident Disclosure Rules” and how FAIR plays a necessary part. Welcome Nick!

Case Study Panorama with Richemont and Econocom

Speaking about real life examples, next up today is our first of two Case Study Panorama sessions with Pierre Olodo, Senior Lead Cyber Risk, Richemont and Anne Lupfer, Deputy CSO, Econocom who will both give us examples of deploying quantification at their organizations.

Meeting Regulatory Compliance - How to Think About Materiality with FAIR

Our session now is “Meeting Regulatory Compliance - How to Think About Materiality with FAIR” that will discuss real life examples at companies using FAIR and also give insight into the research that the Institute is planning this year. Welcome Mouhamad el Houssaini, Risk Director, ADP and Pankaj Goyal, Director of Standards and Research, FAIR Institute.

The Significance of the NIS2 Directive and of the Digital Operational Resilience Act DORA

Next up, we have an esteemed panel of experts who will deep dive into “The Significance of the NIS2 Directive and of the Digital Operational Resilience Act (DORA).” Welcome to the stage: Moderator: Anne Leslie, Cloud Risk & Controls Leader EMEA, Financial Services, IBM Cathie-Rosalie Joly, Partner, Bird & Bird Law Firm Martina Dvar, Advisor, European Central Bank Iva Tasheva, Co-founder & Cybersecurity Lead, CYEN; Working Group Member, ENISA

Re-thinking Third Party Risk Management

Wrapping up our morning sessions today, we will turn our focus to another research initiative of the FAIR Institute, how to re-thinking third party risk management with quantification. Here to discuss and present are Meena Martin, VP Cyber Risk and Assurance, GSK and Pankaj Goyal, Director of Standards and Research, FAIR Institute.

GenAI Related Risk and Opportunities

Moving on to the next panel focusing on managing new risks and opportunities in the rapidly growing world of AI, please help me welcome our panel today: Moderator: Pankaj Goyal, Director of Standards and Research, FAIR Institute Gérôme Billois, Partner, Wavestone Sabine Marcellin, Lawyer, Digital Law, Oxygen+; Professor, AI, KEDGE Business School Jacqueline Lebo, Risk Advisory Manager in Security Services, Safe Security

The Future of the Cyber Risk Management Profession with Jack Jones

As we advance into the day, so we advance into the further of our profession. Join me in welcoming Jack Jones, Chairman Emeritus of the FAIR Institute and author of FAIR and FAIR-CAM for his talk on “The Future of the Cyber Risk Management Profession!”

CxO Panel - Managing Cyber Risk in a Time of New Incident Disclosure Rules

Next up we have a very special CxO panel for you to share how executives can more effectively manage cyber risk in this time of new incident disclosure rules. Please welcome: - Moderator: Thiébaut Meyer, Director, Office of CISO, Google Cloud - Benoit Fuzeau, CISO, CASDEN; President, CLUSIF - Aljona Reiser, Head of Cyber Business Risk, Commerzbank AG - Ariane Chapelle, Partner, BDO Chapelle

Optimizing Cyber Insurance with Risk Quantification

Our next panel will dive deep into optimizing cyber insurance with risk quantification, help me welcome our moderator and panelists: - Moderator: Christopher Khadan, Chief Customer Officer, Safe Security - Leopold Larios, Director of Cyber Insurance Offering, Descartes Underwriting - Andreas Schmitt, Global Cyber Underwriting Manager, Zurich Insurance - Thierry Zucchi, Head of Cyber Activity, Relyens - Patrick Montagner, Deputy Secretary General, ACPR (French Prudential and Resolution Authority)

Case Study Panorama with Mastercard and Fresenius

Kicking off our last segment of sessions today is our final case study panorama session, moderated by Greg Spicer, Co-Founder and CRO at Ostrich Cyber-Risk. Join me in welcoming two expert FAIR professionals, Rob Moore, VP, Technology Risk, Mastercard and David Steng, Director, Cyber Risk & Economics, Group Cybersecurity Office, Fresenius Group.

Using FAIR and MITRE to Understand How Controls Impact Risk

The next session shifts focus to controls and FAIR-CAM as we understand how using FAIR and MITRE Controls Impact Risk. Welcome back Tom as moderator and our panelists, Frédéric Bouveresse, IS&T Cyber Risks Governance Specialist, Alstom and Francesco Chiarini, Global Head - Technology Resilience, Sandoz.

Automating and Scaling FAIR Quantitative Risk Analysis Sponsored by Safe Security

Enterprises adopting FAIR face a critical hurdle in scaling operations due to the manual nature of the process. Recognizing this gap, FAIR has introduced two extensions: FAIR-CAM, the controls analytics model, and FAIR-MAM, the materiality assessment model.

A FAIR Artificial Intelligence (AI) Cyber Risk Playbook

The FAIR Institute presents FAIR-AIR, a FAIR-inspired approach to help you identify your AI-related loss exposure and make risk-based decisions on treating this new category in cyber risk management – new but a puzzle to be solved using the FAIR techniques of modeling and quantifying cyber risk that our community has validated for years.

CIS 8.0 to FAIR-CAM Mapping V1

A team of FAIR Institute members led by FAIR creator Jack Jones have mapped the CIS Critical Security Controls v. 8.0 to the new FAIR Controls Analytics Model (FAIR-CAM™). The CIS Controls are a popular 18-category set of best practices that, like other cybersecurity frameworks, tell you what controls to implement but not what measurable effect they have on reducing cyber risk singly or as an interdependent system. Jack developed FAIR-CAM to make compliance with frameworks more about mitigating risk than checking off boxes on a list.

NIST CSF 1.1 to FAIR-CAM 1.0 Mapping

NIST CSF 1.1 to FAIR-CAM 1.0 Mapping

Webinar: The NIST Artificial Intelligence Risk Management Framework (AI RMF)

The NIST Trustworthy and Responsible AI Resource Center published the Artificial Intelligence Risk Management Framework (AI RMF) in early 2023 to support the responsible adoption of trustworthy AI systems. The voluntary, risk-based, rights-preserving, and flexible framework provides an approach for organizations to manage the benefits and risks of AI through specific approaches outlined in the AI RMF. The AI RMF is designed to function as part of a larger organizational risk management program specifically to mitigate the potential of harms to people, organizations, and ecosystems (people & planet) unique to AI systems. Today, Martin Stanley will provide an overview of the AI RMF and supporting NIST resources available to assist organizations in responsibly adopting AI. Martin Stanley is the Strategic Technology Branch Chief and leads the research and development program for the Cybersecurity and Infrastructure Security Agency (CISA/DHS). Martin previously led the Cybersecurity Assurance Program at CISA and the Enterprise Cybersecurity Program at the U.S. Food and Drug Administration. Prior to his federal service Martin held executive leadership positions at Vonage and UUNET Technologies. Martin recently co-authored “Digital Health”, an Oxford University Press Publication in 2021. Martin is currently assigned to NIST to advance adoption of the NIST Artificial Intelligence Risk Management Framework.

Throwing the 'Bad' Data in With the Good – Sponsored Webinar with Ostrich Cyber-Risk

In this webinar, participants will be introduced to a simple way to think about and communicate the relative value of data inputs to FAIR analysis and learn about the concept of a “risk information classification framework”. Attendees will also hear about how such a framework may be used for reducing the likelihood of “analysis data rejection” from the business and how to implement a managed approach for improving precision, visibility, and confidence in analysis.

Keynote Address: The Future of Risk Analysis in an AI and Automation World

I am very honored to present our Day 2 Keynote Speaker this morning, Jack Jones, author of the FAIR model and Chairman of the FAIR Institute presenting the Keynote Address today, “The Future of Risk Analysis in an AI and Automation World.” Jack has worked in information security for over thirty-five years, ten years of which as a CISO with three different companies, including a Fortune 100 company. In 2012 Jack received the CSO Compass award for risk management leadership. An adjunct professor at Carnegie Mellon University, he teaches in the CRO and CISO executive programs. Jack created the “Factor Analysis of Information Risk” (FAIR) model which has been adopted as an international standard. Currently, Jack is the Chairman of the FAIR Institute and the Chief Research Scientist at Safe Security. He has also co-authored a book on FAIR entitled “Measuring and Managing Information Risk, a FAIR Approach” which was inducted into the Cyber Security Canon in 2016.

Panel: How to Get Ready for the New SEC Rule on Cybersecurity

I am excited for our first panel today titled “Panel: How to Get Ready for the New SEC Rule on Cybersecurity”. Nothing has pushed CRQ more front and center than the release of new rules from the Securities and Exchange Commission (SEC) on cyber risk disclosure – and the concern and confusion around what’s a material cyber risk. Together, we will tackle the issue head-on with expert panelists, including the SEC’s cyber enforcement chief. Led by moderator Kim Nash, Deputy Bureau Chief, WSJ Pro Cybersecurity, please help me welcome the panelists to the stage: • David Hirsch, Chief, Crypto Asset and Cyber Unit in the Division of Enforcement, SEC • Brian Walker, CEO, The CAP Group • Kurt John, CSO, Expedia Group • Richard Borden, Cybersecurity and Privacy Partner, Frankfurt, Kurnit, Klein, & Selz

Quantifying Multi-Product Security and Privacy AI Risk with FAIR and NIST AI RMF

This track is focused on one of the hottest topics in our industry right now, AI. How can organizations balance the opportunities that arise from AI adoption while managing its risk? What does AI risk actually mean? How can we best manage it? Those questions are coming fast, and FAIR practitioners of quantitative cyber risk management are adapting rapidly. First up in our track today are Tyler Britton, Security Engineer and Taylor Maze, Risk & Governance Manager at Dropbox. They will be presenting on their work with this case study session titled “Quantifying Multi-Product Security and Privacy AI Risk with FAIR and NIST AI RMF.”

Challenges and Opportunities of Moving to Quantitative Risk Management in ERM

Help me welcome our panelists today: Evan Wheeler, Senior Director, Technology Risk Management at Capital One and FAIR Institute Advisory Board Member Ted Webster, Chief Security and Privacy Officer,

Accelerating your GenAI Adoption Through AI Risk Posture Management

Presenting today is Pankaj Goyal, Director of Standards & Research at the FAIR Institute, joined by Brandon Sloane in AI Governance at Meta.

Patch Prioritization with FAIR-CAM™

Next we have Denny Wan, Co-Chair, Sydney Chapter and the FAIR-CAM Workgroup, John Linford, Forum Director at The Open Group, and Sasha Romanosky, Senior Policy Researcher at RAND. The timely application of software patches is the first line of defense against malware by reducing the attack surface. This presentation will discuss how to apply the FAIR-CAM model to inform on the effectiveness of a patch prioritization policy.

The State of the CRQ Market

Here to give a view of the entire state of the CRQ Market, please welcome to the stage, Cody Scott, Senior Analysts for Security and Risk at Forrester Research. Cody will be focusing on what users are asking for and where the market is now, including both the positives and the challenges, and where the industry research needs to focus moving forward.

How is the Discussion About Cyber Risk Changing at the Board Level?

We are lucky to have with us today a superstar panel on “How the Discussion About Cyber Risk is Changing at the Board Level?”. Reminder to please use the QR code and follow the instructions on page 2 in your program to submit questions. Led by moderator Larry Clinton, President of the Internet Security Alliance (ISA), please help me welcome the panelists to the stage: • Elias Oxendine IV, CISO, Yum Brands • Kevin McCarty, CISO, Cigna US Healthcare • Kris Lovejoy, Board Member, Dominion Energy and Global Security and Resilience Practice Leader, Kyndryl • David Burg, Americas Cybersecurity Leader, EY

Connecting Threat Intel to risk with MITRE ATT&CK and FAIR™

We are lucky to have with us today a great session on “Connecting Threat Intel to risk with MITRE ATT&CK and FAIR™".  Please help me welcome the panelists to the stage, Jon Baker, Director, MITRE Center for Threat-Informed Defense Arvin Bansal, vCISO, Fortune 500 Company Vidit Baxi, CISO, Safe Security

Introducing FAIR-MAM™ - A Comprehensive Approach to Loss Modeling in FAIR™

This track is focuses on way in which we can build on the FAIR model, making improvements and advancement to our risk management practices. Starting today with an introduction in FAIR-MAM, FAIR Materiality Assessment Model. Join me in welcoming: • Erica Eager, Senior Director, Risk Quantification, Safe Security • Filippo Curti, Financial Economist, Federal Reserve Board of Richmond • Tom Macphee, Cyber Risk Senior Manager, Cigna

Cyber Insure or Self Insure?

My name is Arturo Perez-Reyes Strategist, SVP, Cyber and Technology at Newfront. Welcome to our session today that will ask the question “to cyber insure, or to self-insure?”! Joining me on stage are my esteemed colleagues: • Tom Srail, EVP Cyber Risk, Willis Tower Watson • Brandon Pinzon, SVP, Chief Security Officer, Argo Group Insurance • Mayur Patel, VP, Senior Cyber Underwriter, Munich Re

Using the FAIR Model for AI Risk-Based Accountability

The purpose of this session is sharing practical risk-based compliance tips, by using the FAIR model in order to fix Impact Assessments. The presentation will show convenient tactics for adapting several concepts such as primary and secondary losses, and temporary-bound probability, all in a multidimensional compliance environment. Welcome to the stage Luis Enriquez, Professor at Université de Lille (France), and Universidad Andina Simón Bolivar (Ecuador)!

Measuring Controls Effectiveness and Risk with FAIR-CAM™

Join our speakers Bryan Smith, VP Product Management at Safe Security and Tyler Britton, Security Engineer at Dropbox as we dive into measuring controls effectiveness and risk with FAIR-CAM™

Deriving Probability Distributions with Pairwise Relative Comparisons

This presentation supports the FAIR contention that we need to use ranges or distributions for probability and impact in FAIR for risk management. More importantly, this presentation shows how the PERT-styled distributions used in FAIR analyses can be supplemented with pairwise comparisons that can reduce ‘noise’ inherent in measuring uncertainty, thus producing more accurate distributions based on individual judgments as well as judgments from groups of individuals. The process is based on pairwise comparisons of a range of uncertain outcomes, such as the frequencies of an event.

Measuring Real Life Cyberattacks on Enterprise Networks

Our next session will explore a novel approach to measuring loss events of realistic cyberattacks, empowering organizations to assess their security resilience based on changing threat landscapes and make data-driven decisions for bolstering their defenses against evolving cyber threats. Please welcome Christian Ellerhold, Lead Principle Engineer, Cyber Risk Management at Infineon Technologies to the stage!

The Rising Ambition of Cyber Risk Management Programs

Now we are lucky to have a case study panorama with a stellar lineup of experts discussing the most important things facing a cyber risk management program today. Led by moderator Daniel Stone, Director at Protiviti, allow me to introduce our panelists: Meena Martin, VP, Cyber Risk and Assurance, GSK Dan Phillips, Security Risk Management Lead, Meta Robert Immella, Global Leader, CRQ, Caterpillar Valmiki Mukherjee, Chairman, Cyber Future Foundation

FAIRCON23 Closing Remarks

Thank you all for sharing your expertise. Let’s get ready now for the conclusion of the conference. Closing Remarks will begin momentarily as we allow the rest of the conference attendees to join us here in the Grand Ballroom.

FAIRCON23 Welcome Address

Now without further ado, it’s time to get FAIRCON23 kicked off! It is my pleasure to introduce Nick Sanna, Foudner of the FAIR Institute and Dave Burg, Americas Cybersecurity Leader at EY. Nick founded the FAIR Institute in 2016 as an expert non-profit organization due to a growing demand from an expanding FAIR community. The idea was to create a forum for learning about FAIR, for developing and sharing innovative best practices, and to serve as a platform and for networking with peers. Dave Burg serves as EY’s Americas Cybersecurity Leader. In this role, he assists clients in reactive and proactive consulting capacities involving the deployment of information technology solutions and their use. Please welcome Nick and Dave!

Keynote Panel: Navigating the Confluence of Cybersecurity and AI: Mitigating Risks for the Future

As the stage gets set to continue into our Keynote Conversation, please help me welcome two very special guests. Joining us today are Chris DeRusha, Federal Chief Information Security Officer and Deputy National Cyber Director and Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA. We are very grateful to have Chris and Eric here to be in conversation with Nick on “Navigating the Confluence of Cybersecurity and AI: Mitigating Risks for the Future.” The focus of the session will be specifically on how AI affecting cyber risk management. The panel will discuss what how to make sense of AI risk, what to do with it, and of course, the subject of AI from the Federal perspective.

Panel: What Models Do We Need to Improve Risk Management in the 21st Century?

The next session “What Models Do We Need to Improve Risk Management in the 21st Century?” is packed with experts. We are about to get key insights, advice, and tips from C-Level experts who are leaders of this quantitative movement. Reminder to please to submit your questions using the QR code in the program. Moderated by Robert Rodriquez, Chairman and Founder of SINET, please help me welcome our esteemed panelists: Paul Selby, CISO at US Department of Energy Jennifer Buckner, SVP Technology Risk Management at Mastercard Nathaniel Davis Jr, Vice President, Corporate & Defense Security at Rolls-Royce Ian Rathie, CISO at The Fitch Group Kurt John, CSO at Expedia Group

Improving Cyber Visibility and Decision-Making at Maersk

Now, please allow me to introduce our next session with Neil Davis, Head of Cyber Risk Management at Maersk titled “Improving Cyber Visibility and Decision-Making at Maersk.” This case study session will provide a world class example of how Maersk is using quantification to improve cyber risk visibility and their companywide decision making. Neil leads the cyber risk team at AP Moller-Maersk, providing insight into risk exposure by identifying, assessing, and managing the cyber risks faced by Maersk and its supply chain, in support of strategic and tactical decision making - balancing risk and return.

Winning Over The Doubters - Cutting Through Complexity to Exceed Stakeholder Expectations

In this session, you will hear from Robert Moore, Vice President of Technology Risk at Mastercard and Tom Callaghan, Co-Founder at C-Risk as they give a case study presentation on winning over the doubtes. These tips will help you to get through the perceived complexity of quantification in order to effectively communicate to the business and exceed stakeholder expectations.

Leveraging Risk Quantification to Build An Integrated Risk Management Program

Our last session in Track 2 today is presented by Damian Apone, Global Director, Governance, Risk & Compliance at Genuine Parts Company and Chris Correia, Associate Partner at IBM. They will discuss the journey that GPC has undertaken with IBM’s support to build a holistic risk management program. They will discuss how GPC decided to use risk quantification as a foundational capability to enhance risk identification, risk reporting and prioritization of security projects to optimize GPC’s security operations. Damian will share his experiences working with leadership to demonstrate the value of risk quantification along with some of the challenges and early successes the organization faced in the adoption of risk quantification. In addition, Damian and Chris will discuss how risk quantification is supporting GPC as in their review of risk appetite, executive level reporting and cybersecurity insurance.

Connecting Cyber Risk Assessment to Integrated Decision Management

I am sure that many of you started making great connections during the networking break. Now, please allow me to introduce our next session with Doug Hubbard titled “Presentation: Connecting Cyber Risk Assessment to Integrated Decision Management” Quantitative risk analysis in cyber is only part of enterprise risk and risk is only part of quantitative decision making. Integrated decision management involves utilizing methods tested in large clinical trials and improving and tracking the performance of models, measurement methods, and even expert judgement. Measuring the performance of decision making itself is the most important - and yet apparently among the last – of critical measurements for organizations to conduct. This session will propose a framework for how we may integrate the empirical methods, new algorithms, and even the psychology of decisions and estimates to improve one of the last and most important frontiers of organizational management.

Is It Raining Risk? What Data says about Cyber Risk in the Cloud

We begin this track with a session by Wade Baker, Co-Founder of Cyentia Institute and Professor at Virginia Tech. Over the years, the Cyentia Institute has published quite a few reports that analyze various aspects of risk in the cloud. Wade is going to provide a a “Greatest Hits” presentation todaywith the goal being to answer questions like “Is cyber risk in cloud environments measurably different than on-prem and, if so, how?” all while tying it back to the FAIR framework.

How to Re-think Third-Party Risk with FAIR-TAM™?

We are launching into new waters here as we discuss how to re-think third party risk with FAIR-TAM, the new FAIR extension for third party risk. Leading this session is Pankaj Goyal, Director for Standards & Research at the FAIR Institute. Joining Pankaj are Sarah Sullivan, Director IS&T Security Performance at Thomas Jefferson University Hospitals and Adam Wells, Senior Manager for Cyber Risk Services at Yum! Brands.

The 2024 Annual Cybersecurity Risk Report

The FAIR Institute Cyber Risk Report is designed to provide reference estimates for the probability, loss, and loss exposure of common cyber events. It summarizes the findings by industry and event themes and details how actionable variables, such as security stance and data retention management, can reduce risk exposure. This year, we are pleased to present original research from EY on the challenges of implementing a cybersecurity program, a survey that revealed the structural problems that hold back many programs and the attributes of the most effective CISOs – as EY calls them, “Secure Creators.” At the FAIR Institute, we believe that transparency and accountability in cyber risk management are best served through cyber risk quantification (CRQ) – with Factor Analysis of Information Risk (FAIR™), the international standard for CRQ, built on a foundation of carefully curated data. We based our 2024 Cybersecurity Risk Report on FAIR analyses and extensive research by our data science advisors. We invite you to discover the most relevant cyber risk data for your organization and benchmark your performance against peers in your industry and others.

The CRQ Program Development Lifecycle

This next case study session will focus on best practices for enterprise- level FAIR-based CRQ program development. From the initial development of a program charter to the measurement and monitoring of program performance and optimization, the well-established phases and processes of the CRQ Program Development Lifecycle provide a proven methodology to ensure productive outcomes including executive-level engagement, analyst proficiency, use case selection, powerful storytelling, business alignment, and higher levels of program success. Join me in welcoming Zach Cossairt, Integrated Risk Program Senior Manager at Equinix and Jon Oppenhuis, Director, Risk Strategy and Success at Safe Security.

Using Cyber Risk Intelligence to Scale Third Party FAIR Assessments

This next case study session is titled Using Cyber Risk Intelligence to Scale Third Party FAIR Assessments with John Feezell, Assoc. Director, Security Counseling at Kyndryl and Bob Maley, Chief Security Officer at Black Kite. In this session, Bob and John will discuss how the additional context of cyber ratings, compliance assessments, ransomware and data breach intelligence and other cyber risk information can help scale your FAIR assessments.

Scenario Planning for Effect

Our last session in Track 1 today is presented by Aaron McKay, Cybersecurity Engineer at SCRAM Systems and Jack Whitsitt, Director of CRQ at Ostrich Cyber-Risk discussing a case study on scenario planning for effect.

Fireside Chat: Incident Response and Materiality

I’m happy to introduce our participants in conversation today discussing Incident Response and Materiality, Kevin Mandia, CEO of Mandiant and Saket Modi, CEO of Safe Security, Technical Advisor to the FAIR Institute. Kevin is the Chief Executive officer of Mandiant at Google Cloud. He has served as the company’s Chief Executive Officer since June 2016, including as Chief Executive Officer of FireEye, Inc. until its corporate name change to Mandiant, Inc. in October 2021. Kevin served as a member of the company’s Board of Directors from February 2016 until September 2022, when Mandiant became a part of Google Cloud. Saket Modi is the Co-Founder and CEO of Safe Security, a Cybersecurity and Digital Business Risk Quantification platform company. A computer science engineer by education, he founded Safe Security in 2012 while in his final year of engineering. Safe Security protects the digital infrastructure of multiple Fortune 500 companies around the world.

4 Steps To SEC Compliance – Sponsored Webinar with Ostrich Cyber-Risk

As the December 2023 SEC deadline approaches, it is crucial for organizations to prepare for changes effectively. Join this webinar with Jack Whitsitt, Director of Cyber Risk Quantification (CRQ) at Ostrich Cyber-Risk, where he will cover: Materiality & Risk: Understand the importance of materiality, risk appetite, tolerance, thresholds, and how to assess and quantify them. CRQ Integration: Learn how CRQ seamlessly measures these concepts, facilitating clear communication with the SEC and your Board. Implementation Steps: Discover actionable steps you can take today.

How to Achieve SEC Compliance with Real-time and Automated FAIR Solution - Safe Security Sponsored Webinar

New SEC Cyber Risk Disclosure Rules mandate transformation in how publicly traded companies identify, measure, and report on the cyber risks that hit the level of material impact. Businesses need to develop frameworks and processes to make this fundamental shift swiftly. But how? Join this sponsored webinar with Molly Slocum, Director of Product Management from our Technical Advisor, Safe Security, moderated by Jack Jones, author of the FAIR™ methodology and Chairman of FAIR Institute. Molly will present on how you can provide your organization with automated, real-time, and quantitative risk management program based on FAIR™. Get actionable insights on how to: Automate FAIR™ to measure the probable material impact of cyber risk Report on material cyber risks in financial terms that satisfy regulators and your Board Demonstrate a transparent cybersecurity strategy protecting investor interests using the most advanced, AI-driven solution. Plus, hear real customer use cases of how AI-driven Cyber Risk Quantification has equipped businesses to identify, measure, and communicate cyber risk in real-time.

An Introduction to the FAIR Materiality Assessment Model (FAIR-MAM™)

The FAIR Institute is releasing a new standard to help organizations assess the materiality of cybersecurity risk and incidents, called FAIR Materiality Assessment Model (FAIR-MAMTM). FAIR-MAM expands the loss magnitude factor of the FAIR model, and provides a more detailed taxonomy and breakdown of loss categories driven by cybersecurity incidents.

What the New SEC Regulation on Cyber Reporting Means for the Risk Management Profession - Webinar

As many of us know, the SEC Commissioners voted to adopt the proposed rule on cyber security. This rule aims to elevate the cyber risk reporting and management practices for public companies (registrants) in the US, to help investors in such companies consider the probable impact of cyber risk as they make investment decisions. This will be a forcing function for companies to adopt trusted cyber risk quantification (CRQ) models such as FAIR™ and adopt processes and tools that provide them with visibility into their material risks and incidents. Tune in to hear industry experts as they explain and discuss what this all means for the risk management profession. Key advice will be shared on how to navigate these new rules together and how CRQ is the top way you can help your organizations be compliant.

GRC and CRQ - A (Good) Story of Codependency - Sponsored Webinar with Ostrich Cyber-Risk

In order to understand how best to plan for and execute Cyber Risk Quantification (CRQ) as a practice and a program, it’s best to start by understanding how it fits into more traditional Governance Risk Compliance (GRC). Leveraging a CRQ tool in a GRC program provides a means to measure cyber risk levels objectively. CRQ is not intended to ‘replace’ or ‘bolt on’ to an existing GRC program. Instead, CRQ informs an evolution of existing practices, and those practices plus CRQ must be taken into consideration as they blend into an enhanced approach to decision-making by leveraging the common ground: METRICS. In this webinar, you will learn how GRC programs and CRQ tools together will help you: More accurately estimate and track exposure of financial losses Prioritize between compliance and regulation requirements Prioritize cyber investments, allocate budget and adjust strategy Highlight the decrease in potential financial losses to determine which regulatory or compliance requirement is worth investing in Inform stakeholders how you are meeting new cyber regulations

Case Study- Improving Cyber Risk Visibility and Decision-Making with Maersk

Moving right along to our next session, allow me to introduce the Cyber Security Risk Team from Maersk. This case study session will provide a world class example of how Maersk is using quantification to improve cyber risk visibility and their companywide decision making. Here to present today are Pooya Alai and Rebekka Kurland!

Keynote by Jack Jones - The Future of Cybersecurity Risk Measurement

Next up, we have the author and creator of the FAIR Model, Jack Jones with a new and forward-looking presentation on The Future of Cybersecurity Risk Measurement. Jack has worked in information security for over thirty-five years, ten years of which as a CISO with three different companies, including a Fortune 100 company. In 2012 Jack received the CSO Compass award for risk management leadership. An adjunct professor at Carnegie Mellon University, he teaches in the CRO and CISO executive programs. Jack created the “Factor Analysis of Information Risk” (FAIR) model which has been adopted as an international standard. Currently, Jack is the Chief Risk Scientist at RiskLens and Chairman of the FAIR Institute, our award-winning global non-profit organization with over 13,000 members worldwide. He has also co-authored a book on FAIR entitled “Measuring and Managing Information Risk, a FAIR Approach” which was inducted into the Cyber Security Canon in 2016.

Keynote by Nick Sanna - How Risk Economics Can Help Us Win the Battle in Cyberspace

For our Opening Keynote, “How Risk Economics Can Help Us Win the Battle in Cyberspace”, it is my pleasure to introduce Nick Sanna, FAIR Institute Founder and President. Nick founded the FAIR Institute in 2016 as an expert non-profit organization due to a growing demand from an expanding FAIR community. The idea was to create a forum for learning about FAIR, for developing and sharing innovative best practices, and to serve as a platform and for networking with peers. He was supported in this effort by the author of FAIR – Jack Jones, the Institute's Chairman - and industry representatives from companies such as Fannie Mae, Cisco, Bank of America, and Northern Trust. Outside of his volunteer work at the FAIR Institute, Nick is the CEO of RiskLens, a software company that has developed an enterprise platform based on FAIR and that acts as the Institute's Technical Advisor. Please welcome Nick Sanna!

Case Study for Cyber Risk Quantification in Luxury Watchmaking with Richemont

Next up is our final case study for the day from Pierre Olodo, Cyber Risk Specialist at Richemont. Pierre will share two scenarios having to deal with CRQ when it comes to luxury watchmaking. A unique take on the craft! Help me welcome Pierre to the stage

Panel - What Does Effective Cyber Risk Oversight Look Like?

We have a stellar panel lined up. This session is titled “What Does Effective Cyber Risk Oversight Look Like?” and it will dive deeper into Nick’s presentation, and you will hear some real-life examples. The group will discuss the different roles around oversight and share leading practices on what works and works well. Help me welcome to the stage our panel moderated by Julian Meyrick: • Phil Huggins, CISO, NHS England • Jo Armstrong, Head of UK Card Technology Risk Management, Capital One • Naomi Gilbert, Head of Cyber Resilience Policy, Dept. for Digital, Culture, Media and Sport • Daniel May, Regional CISO, Commerzbank

Panel - Communicating Cyber Risk to Management and the Board

Welcome back for our next panel session of the day focused on “Communicating Cyber Risk to Management and the Board. We will be discussing the ever present and important topic of communication and will hear the best tips for performing it successfully. Joining us today are our panelists: • Moderator: Jack Whitsitt, Director of Cyber Risk Quantification, Ostrich Cyber-Risk • Keyun Ruan, Risk Economics and Quantification Lead, Google Cloud • Cedric De Carvalho, Head of Group Cyber Risk & Advisory, Richemont

Panel - Moving from a Compliance-Based to a Risk-Based Approach to Cybersecurity

I’m going to invite Jack Jones back to the stage to moderate a panel on “Moving from a Compliance-Based to a Risk-Based Approach to Cybersecurity” that will focus on the benefits and the how-tos of creating an effective strategy around this. Also help me welcome our panelists: • Paul de Luca, Head of Cyber Risk, HPE • Laura Voicu, Manager Security Assurance and Risk Management, InfoSec, Elastic • Hardip Bharj, Head of Security Risk Management, SAP

Approach and Lessons Learned From Building a Cyber Risk Quantification Program with Fresenius

Rolling right into our next case study session from the Fresenius Group. These presenters are going to talk about their experiences and share what they have learned from building a CRQ program. Let’s now welcome to the stage, David Steng, Director, Cyber Risk & Economics, Group Cybersecurity Office and Ferhat Yazgili, Senior Cyber Risk Manager from Fresenius Group.

Europe Summit Closing Remarks with Tony Morbin, News Editor EU, Information Security Media Group

Finally, I am going to hand over the stage to Tony Morbin, Executive News Editor for the EU at Information Security Media Group. Tony has been working and writing in the information security space for years and was previously editor at IT Security Guru and SC Media UK. Tony has been speaking with you all today and listening to the presentations and will now help us close out the day with summary thoughts while relaying them to industry trends.

Measurement Planning Webinar - Sponsored Webinar with Ostrich Cyber-Risk

Often, when getting started with CRQ, organizations tend to focus on how to quantify individual scenarios.  While this is an important step, it soon becomes clear that measuring risk for decision support purposes requires a suite of scenarios working in combination to suit a variety of purposes.  This “scenario suite” should be treated as one entity composed of individual scenarios that are collectively comparable, fit for purpose, re-useable, and sustainable.   At this webinar, we will introduce the concept of developing a “Measurement Plan”  to support this concept and we will touch on several techniques that can be used to assure your Cyber Risk Quantification work meets both current and future needs.

Today’s Best Practices for Cybersecurity Risk Measurement - FAIR Institute Seminar at RSAC23

At RSAC23 this week, FAIR Institute Chairman Jack Jones challenged an audience of 400 in two seminars to move beyond today’s common cyber risk measurement practices that don’t reliably measure risk and re-focus on some basic techniques advanced in Factor Analysis of Information Risk (FAIR™).

How Government Can Help Manage Cyber Risk-The Example of the New Cybersecurity Framework in Jordan

H.E. Eng. Bassam Maharmeh, President, National Cyber Security Center of Jordan

How to Address Common Cyber Risk Management Challenges with FAIR™

Osama Salah, Head of IT Information Security Transformation Program, Abu Dhabi Department of Finance

How Risk Economics Can Help Us Win the Battle in Cyberspace

Nick Sanna, President, FAIR Institute, CEO, RiskLens, Board Member, ISA

Advancing Cyber Risk Management Practices in Your Organization-Practical Tips an Next Steps

Mohamed Adbulrahim, Managing Director, Octopian Security, Co-Chair FAIR Chapter Jordan

Improving Cyber Risk Visibility and Decision-Making-Practical Use Cases

Iman Khalid Al Marzouqi, Group Support Services Director, Alpha Dhabi Holding

FAIR Institue Middle East Summit Sponsors Panel

Measuring and Managing Cyber Risk Effectively-A FAIR Approach

Jack Jones, 3x CISO, Award-winning Author of the FAIR Model, Chairman, FAIR Institute, Chief Risk Scientist, RiskLens

Creating National Cyber Risk and Governance Culture

Ahmed Al-Qawasmi, Chief Internal Audit Officer, MEPS Majdi Armouti, CEO, Digital Haze Ismael Al-Hinti, Pres., Al Hussein Technical University Iyad Khorma, CEO, Aqaba Digital Hub

Webinar - Understanding CRQ - A Buyers Guide Review V2

Jack Jones, Chairman, FAIR Institute; Author, FAIR™ Model

"Understanding Cyber Risk Quantification: The Buyer’s Guide" by Jack Jones - V2 Published 2023

From Jack Jones, Chairman of the FAIR Institute and creator of the FAIR model for cyber risk quantification (CRQ) — the definitive guide to understanding CRQ: What it is (and isn't), its value proposition and limitations, and facts regarding the misperceptions that are commonplace.

Accelerate and Scale FAIR in Your Organization - Q4 RiskLens Sponsored Webinar

Getting Your Money's Worth: Putting Your Controls Inventory to Work

Marta Palanques, Director of Risk Methodologies in Technology Risk Management at Capital One

Case Study: Quantifying the Control and Risk Landscape Using FAIR-CAM

Tyler Britton, Quantitative Cyber Risk Manager at DropBox

New Member Engagement Packet

A quick overview of the FAIR Institute to get you started.

Fireside Chat-A Legislative and Policy Update on Cybersecurity and Risk Management

Moderator: Larry Clinton, President, Internet Security Alliance (ISA) Mark Montgomery, Executive Director, CyberSolarium.org Frank Cilluffo, Commissioner, CSC

Fireside Chat-What the Revised SEC Guidance on Cyber Risk Disclosures Means for You

David Hirsch, Chief of the Crypto Asset and Cyber Unit, Division of Enforcement, SEC Kristy Littman, Fmr. Chief of Enforcement - Cyber Unit, SEC

Panel: Driving Culture Change - From a Compliance to a Risk-based Approach to Cybersecurity

Moderator: Omar Khawaja, CISO, Highmark Health Mark Tomallo, SVP, CISO, Victoria’s Secret Mary Elizabeth Faulkner, CISO, Thrivent Financial Jeff Norem, Deputy CISO, Freddie Mac

Panel: Communicating Cyber Risk to the Board and the Business: How Is It Changing?

Moderator: Julian Meyrick, Managing Partner & Vice President, Security Strategy Risk & Compliance, Security Services, IBM James Lam, Board Director & ERM Author Evan Wheeler, Sr. Director, Technology Risk Management, Capital One Michael Meis, Associate CISO, KU Health

FAIR, Okay, Now What-Steps to Set Up a Quantitative Risk MGT Program at Any Org with Michael Meis

Michael Meis, Associate CISO, KU Health

Managing Cyber Risk as a Strategic Enterprise Risk - John Button, Gartner

John Button, Principal Enterprise Risk Advisor, Gartner

Case Study-Five Objections to FAIR and How to Overcome Them with Netflix

Tony Martin-Vegue, Senior Information Security Risk Engineer, Netflix Prashanthi Koutha, Senior Risk Engineer, Netflix

Presentation-Expedia Groups’ Approach to Build an Effective Security Risk MGT Program using FAIR

Krishna Sheshabhattar, Director, Security, Risk, and Compliance, Expedia Group Randy Spusta, Global Competency Leader, Security Strategy Risk & Compliance Practice, IBM Security

Case Study-Refining the “R” in GRC at Scale with Mike Radigan, Cisco

Michael Radigan, Cyber Risk Advisor, Cisco

Case Study-Scaling FAIR for M&A & Beyond-Combining Bottom-Up and Top-Down Approaches with Richemont

Cedric de Carvalho, Head of Group Cyber Risk & Advisory, Richemont

Presentation-Justifying the Value of Cybersecurity to the Business with Omar Khawaja

Omar Khawaja, CISO at Highmark Health on their BOSITE Framework

Case Study-Harnessing The Voltage Effect to Scale our FAIR Risk Programs with Zach Cossairt, Equinix

Zach Cossairt, Information Risk Program Manager, Equinix

Case Study-Embedding CRQ in the Infosec Governance Process of a Fast-Growing Pop Culture Retail Org.

Markus Kaufmann, CISO, Senior Director of Information Security, Funko Tom Callaghan, Co-Founder, C-Risk

Case Study-Building a Strong Foundation for your Quantitative Risk MGT Program with Tim Wynkoop

Tim Wynkoop, Sr. Information Security Risk Engineer, Equinix

Panel-Scaling a Quantitative Risk Management Program

Andrew Retrum, Managing Director, US Security Program & Strategy Practice Lead, Protiviti Brenda Thayer, Senior Manager, Technology Risk, Fannie Mae David Severski, Senior Security Data Scientist, Cyentia Institute, Brenda Thayer, Senior Manager of Technology Risk, Fannie Mae, Tim Kelly, Senior Manager, Protiviti

Presentation-Unveiling the IRIS 2022-Bigger Scale, Greater Depth, and More Data for Your CRQ Program

Wade Baker, Partner, Cyentia Institute David Severski, Senior Security Data Scientist, Cyentia Institute

Presentation-Trends in Determining Systemic Cyber Risk for the Financial Services Industry

Matthew Tolbert, Sr. Cybersecurity Specialist, Supervision and Regulation, Fed Reserve Bank of Cleveland

Closing Remarks with Derek Johnson and Jack Jones

Jack Jones, Chairman, FAIR Institute and Derek Johnson, Senior Reporter, SC Media

Presentation-Scaling FAIR for Third Party Risk Management with Black Kite

Bob Maley, Chief Security Officer, Black Kite

FAIRCON22 Welcome Address

Nick Sanna, President, FAIR Institute

Keynote Address: Trusting Risk-Informed Decisions with Jack Jones

Jack Jones, Chairman, FAIR Institute

Keynote - How Risk Economics Can Help Us Win the Battle in Cyberspace with Larry Clinton

Larry Clinton, President, Internet Security Alliance (ISA)

Presentation: Subjective Judgements: Outperforming Your Current Best Experts with Doug Hubbard

Douglas Hubbard, President, Hubbard Decision Research

Panel-CIS, NIST 800-53, ISO27000-Mapping Leading Control Frameworks to FAIR-CAM™

Moderator: Jack Jones, Chairman, FAIR Institute Daniel Stone, Associate Director, Security & Privacy, Protiviti Erin Macuga, Manager Risk and Information Security, Thrivent Financial Robert Immella, Global Leader of Cyber Risk Quantification, Caterpillar Inc Tyler Britton, Quantitative Cyber Risk Manager, DropBox Drew Brown, Information System Security Developer, FAA

Presentation-How to Scale FAIR Programs with Controls Analytics with RiskLens

Jack Jones, Chairman FAIR Institute, Chief Risk Scientist, RiskLens Bryan Smith, CTO, RiskLens

Maturing A Quantitative Risk Management Program in the Federal Government

Maturing A Quantitative Risk Management Program in the Federal Government

Critical Do’s and Don’ts of Cyber Risk Board Reporting

Critical Do’s and Don’ts of Cyber Risk Board Reporting

Building a Quantitative Cyber Risk Program Based on FAIR

Building a Quantitative Cyber Risk Program Based on FAIR

New study demonstrating CRQ parameters

The Cyentia Institute just released a new study that analyzes 2000 incidents affecting nonprofit organizations to derive estimates and parameters for loss event frequency, loss magnitude, common incident patterns, etc.

Presentation - Assessing Cyber Resilience Preparedness

Understanding the Value of Controls in Cyber Risk - Unveiling the FAIR Controls Analytics Model

Case Study - Using FAIR & Cyber Risk Quantification to Increase Resilience for Your Company

Presentation - Implementing a CRQ Program in a Global Organization

Panel Session - Mapping FAIR-CAM to Controls Frameworks

Presentation - Building Resilience in Cyberspace: Reporting on Progress from the Cyberspace Solarium

Presentation - Data Science for Practical Risk Management with Cyentia’s IRIS Retina

Welcome Remarks and Opening Keynote: Managing Risk and Building Resilience

Case Study - Providing Visibility into Operational Risk with FAIR

C-Level Panel - How Risk Mgt is Helping Companies Be More Resilient during Digital Transformation

Presentation - Assessing Risk as Part of a CMMC Program

Case Study - Regulatory Considerations for Operational Resilience

Fireside Chat - How To Get a FAIR Program Off the Ground

Case Study - Adopting FAIR - Transition from Cyber to Operational Risk

Case Study - Just Quantify It: Make Better Business Decisions for TPRM

Keynote Address - Designing Resiliency and Security at a Time of Uncertainty and Change

Presentation - Practitioner Use Case Panorama

Board Panel - Improving Risk Governance and Avoiding Blind Spots, Biases and Bad Incentives

Case Study - Accelerating FAIR Analyses by 10x with Industry Data

Case Study - Use of FAIR For Emergency Management Planning and Preparedness

Panel - Experiences from the Field: Reporting Top Risks to the Board

An Overview of the FAIR Controls Analytics Model (FAIR-CAM™)

Click below to download the white paper "An Overview of the FAIR Controls Analytics Model (FAIR-CAM™)"

FAIR-CAM™ FAQs

FAIR-CAM™ FAQs:

Case Study - Closing the MFA Gap - A FAIR-CAM Case Study

Presentation - Ensuring the Resilience of National Critical Functions

Presentation - Rapid Policy Exception Management: Controls Alignment with FAIR-CAM

Description of the FAIR-CAM™ Standard

Download the white paper below.

Protiviti Sponsored Webinar - Establish Your Cyber Risk Management Baseline

After an organization has successfully conducted FAIR analyses*, many wonder how they can expand their use of risk quantification to better understand their overall cyber risk exposure.

2019 Cyber Risk Management Maturity Benchmark Survey

The FAIR™ Institute’s third annual Cyber Risk Management Maturity Benchmark Survey results are in, and show “a lot of opportunity left in the risk management space for improvement,” says survey report author and FAIR Institute Fellow Jack Freund, PhD.

PRMIA Cyber Risk Management Forum - Day 1 Keynote by Nick Sanna, President of the FAIR Institute

PRMIA Cyber Risk Forum - Practical Implications of Managing Cyber Risk in Financial Terms

FAIR Institute Chapter Meeting - Advanced Track Meeting 1 - Reporting Risk to the Board

Presenters: Matt Kruse, FIS Global, Senior Director - Risk, Information Security and Compliance (RISC), FIS Global, Nick Corzine, Manager, Quantitative Cyber Risk Analysis, Centene

FAIR Institute Chapter Meeting - Incentivizing Better Risk Decisions: Lesson From Rogue Actuaries

Presenter: Tony Martin-Vegue - Sr. Information Security Risk Engineer/Netflix

FAIR Institute Chapter Meeting - What They Didn't Teach You In Fair School

Presenter: Jack Whitsitt - FAIR Institute Board Member, SIRA Board Member, Cybersecurity Psychologist

Webinar: Protiviti Experts Break Down NISTIR 8286 – Perspectives from the Field - Protiviti Sponsor

Slides and recording available below

The Bald Tire Scenario - with Jack Jones

Measuring the Cyber Attack Surface - RiskRecon Sponsored Webinar Recording

Webinar recording and slide deck below.

FAIR Institute and HITRUST Plan Integration of FAIR Standard and HITRUST CSF

The FAIR Institute and HITRUST® launched an effort to integrate FAIR™, the international standard for cyber risk quantification, with the HITRUST CSF, the cybersecurity controls framework in use at hundreds of thousands of organizations, including 75% of Fortune 200 companies.

C-Level Panel - Improving Decision Making through the Adoption of FAIR

Frank Kim, Curriculum Director, SANS Institute

Clarifying SEC’s Expectations for Cyber Risk Disclosures

Kristy Littman, Chief, Cyber Unit, Division of Enforcement, U.S. Securities and Exchange Commission (SEC)

Roundtable - A Strategic Approach to Defending the U.S. in Cyberspace

Moderator: Nick Sanna, President, FAIR Institute

Use Case Panorama - How FAIR Analysis Improves Risk Communication and Decision Making

Moderator: Donna Gallaher, Board of Advisors, FAIR Institute

Roundtable - Helping the Board Exercise Proper Cyber Risk Oversight

Larry Clinton, President, ISA

Case Study - How FAIR Analyses Support Decision-Making at Netflix

Tony Martin-Vegue, Sr. Information Security, Risk Engineer, Netflix

Presentation - Improving DevSecOps with FAIR at Doordash

Sarina Hothi, Security Project Manager, DoorDash

Presentation - Updates to the Open FAIR Standards

John Linford, Forum Director, Security Forum & Open Trusted Technology Forum (OTTF), The Open Group

Keynote Conversation-How to Help the Business Make the Right Decisions on Risks They Struggle to See

Michele Wucker, Author, "The Gray Rhino: How to Recognize and Act on the Obvious Dangers We Ignore"

Case Study - Decision Making with FAIR - Quantification and The Rise of Class Action Lawsuits

We have all seen the value of running FAIR analysis across a number of business situations. But how can the output of FAIR analyses be applied to everyday business decisions?

Presentation - The Team as a Measurement Instrument

Douglas Hubbard, Author, "How to Measure Anything in Cybersecurity Risk"

Panel - How FAIR Can Help Better Integrate Cyber Risk with ERM

Moderator: James Lam

Case Study - Building a Program with HITRUST & FAIR

Marshall Lambert, Team Lead, Cyber Risk Quantification, Highmark Health

Case Study - Protecting Government Information and Assessing Controls at Scale

Anthony Corso, Assistant Commission, Office of the Victorian Information Commissioner

Conversation - OCC Insights for Cyber Risk Assessments

Bill Barouski, Chief Information Risk Officer, Northern Trust Corporation

Presentation - Drivers for IRM, Digital Transformation & Cost Optimization

Moderator: Sounil Yu, CISO, YL Ventures & Board of Advisor Member, FAIR Institute

Opening Keynote: Factoring Risk in Decision Making: Better Risk Measurement Enables Better Decisions

Welcome Remarks and Opening Keynote: Factoring Risk in Decision Making: How Better Risk Measurement Enables Better Decision-Making

Presentation - How to Rapidly Triage Issues and Findings to Focus on What Matters Most

David Elfering, Senior Director of Information Security

Pres.-Managing Risk in Times of Crisis: Applying FAIR to Become More Business-Centric during COVID

Omar Khawaja, CISO, Highmark Health

Presentation - How Better Data Can Help Executives Make Better Decisions

Wade Baker, Partner & Co-Founder, Cyentia Institute; Member, Board of Advisors, FAIR Institute

Case Study - Reporting Cyber Risk to the Board: Real Life Examples

Matt Kruse, Senior Director - Risk, Information Security and Compliance (RISC), FIS Global

Presentation - Prioritizing NIST CSF Activities with FAIR

Richard Barretto, Security Operations Manager, Cimpress Jack Freund, Fellow, FAIR Institute

Case Study - Enhancing HIPAA Risk Assessment with FAIR

Reny Mathew, InfoSec Analyst, Cambia Health Solutions

Case Study - Building A Quantitative Risk Management Program in the Federal Government

Emery Csulak, Principal Deputy Chief Information Officer, U.S. Department of Energy (DOE)

Presentation - Support Your Company’s Digital Transformation during Times of Crisis

Harold Marcenaro, Digital Risk Officer, Banco de Credito del Peru (BCP)

Weaving a Safer Web: Significant Risks from Insignificant Details - RiskRecon Sponsored Webinar

As organizations continue to adjust to the current digital climate security teams have had to shift their focus - enhancing work-from-home security measures, managing changes to the digital supply chain, monitoring the ever-expanding data universe - but recent research has shown that some businesses are ignoring some basic security principles, thus leaving themselves exposed to serious threats.

Rapid Risk Assessments: Identifying and Prioritizing Risks in Minutes Instead of Months - RiskLens

Many information security teams are running risk assessments that are qualitative in nature and do not provide results in terms business leaders and decision makers can understand.

Using FAIR to Understand Change in Resilience Risk - Protiviti Sponsored Webinar

This webinar is a step-by-step walk-through from the primary authors of Protiviti’s latest thought leadership piece, “Understanding Changes in Resilience Risks From Technology Advancements.”

How Financial Risk Quantification Can Help Federal Agencies Better Integrate Cybersec. Risk & ERM

Listen in to learn how Financial Risk Quantification can assist in integration of Cybersecurity Risk and ERM.

Reducing Cybersecurity Risk by Automating Continuous Vendor Assessment - Sponsored by RiskRecon

Assessing cybersecurity risk has taken on a new meaning as organizations shift toward virtual, and companies focusing on maintaining operations.

ISACA Journal Case Study: ‘Building a Rock-Solid ERM Culture on FAIR™’

The latest issue of the ISACA Journal) presents a detailed case study on the long-running FAIR™ program at Rock Holdings, Inc. (parent company of Quicken Loans and Rocket Loans), and how “FAIR implementation transformed the business’ enterprise risk management (ERM) program and risk culture.”

Making Better Cyber and Technology Risk Decisions - Part 1 Webinar with Jack Jones

Successfully managing today’s complex and dynamic cyber and technology risk landscape requires being able to prioritize well and communicate effectively to executive stakeholders.

FAIR Breakfast Meeting During RSAC20 - Building Effective Cyber Risk Management Programs that Work

Key Points from Jack Jones and CISOs on Adopting FAIR

FAIR Breakfast Meeting During RSAC20 - Building Effective Cyber Risk Management Programs that Work

All slide decks are attached for download below.

Am I Mature Enough to Adopt FAIR? - Uncovering the True Success Factors

Finding your team's "True North" when starting a FAIR program can be overwhelming.

Various Stages of FAIR Adoption - Geoji Paul, Centene and Nathan Thomack, Emerson

Please welcome to the stage Geoji Paul, Director of Information Security Risk at Centene and Nathan Thomack, Manager of Cybersecurity Risk Management at Emerson for their session “Various Stages of FAIR Adoption.”

Integrating Cyber Into ERM

Thank you all for joining our panel session “Integrating Cyber Into ERM.”

Why Digital Business Needs IRM & Risk Quantification by John Wheeler, Gartner

Day 2 Keynote Speaker, John Wheeler, Global Research Leader - Risk Management Technology at Gartner.

Using FAIR to take the Headache out of considering Cyber Insurance for your Business - Walmart

At Walmart, the use of FAIR-based risk quantification methods enable decision makers to effectively evaluate cyber-insurance policies.

A Crash Course on Quantitative vs. Qualitative with Evan Wheeler

The title of this presentation is “A Crash Course on Quantitative vs. Qualitative.” This presentation will help us answer the questions of should I adopt a formal risk model, and should I quantify risk.

Pen Testing Your Board Pitch: An Interactive Exercise

This session will provide actionable advice on satisfying board members’ appetite for cyber risk analysis on an equal, quantitative footing with enterprise risk analysis (ERM).

Integrating Strategic Cyber Threat Intel and FAIR, Musso Shaikh, Cyber Threat Intel, Fannie Mae

A mutually beneficial relationship exists between threat intelligence and quantitative risk assessments via FAIR.

Scoping Enterprise Risk Assessments - Keith Weinbaum, Quicken Loans

Please welcome Keith Weinbaum, Enterprise Risk Management Architect at Quicken Loans.

Operationalizing Risk Quantification in Business Processes with Jack Whitsitt

So, you’ve brought in FAIR into your organization. You got the executive buy-in, were trained, and are now a FAIR-shop.

Closing the Risk Management Loop with Cyber Risk Quantification with Greg Rothauser

A growing list of financial services organizations are using FAIR to mature information risk management function and effectively address the most significant risks.

Building a Cybersecurity Program with a Risk Management Framework & FAIR

Many organizations rely on risk management frameworks such as NIST CSF and HITRUST as guidance for building best practice cybersecurity programs.

CISO Panel: Defining the Goals of an Effective Risk Management Program

The next session “Defining the Goals of an Effective Risk Management Program” will include expert CISOs who are leaders of this movement and who will share their experience with us.

How to Measure Risk with Limited and Messy Data: Overcoming the Myths by Doug Hubbard

Doug is the author of the books How to Measure Anything, How to Measure Anything in Cybersecurity Risk and The Failure of Risk Management and a consultant through Hubbard Decision Research.

The View from U.S. Congress Cong. Jim Langevin, Co-Chair Congressional Cybersecurity Caucus

Securing our nation’s technology infrastructure against cyber-attacks is a top priority for Rep. Langevin.

Managing Organizational and Third-party Risk in the Age of Digital Transformation

Managing Organizational and Third-party Risk in the Age of Digital Transformation: Practical Lessons and Data-influenced Considerations

Use Case Panorama - How Quantification Enables Risk-Aligned Decision Making

Real-life business decisions at some of the world's largest companies are being made every day based on quantitative risk assessments.

Welcome Address, Nick Sanna, President, FAIR Institute

Enabling Risk Management Programs That Actually Work by Jack Jones, Chairman, FAIR Institute

For our opening keynote, I would like to introduce Jack Jones, author of FAIR and Chairman of the FAIR Institute, who will discuss , “Enabling Risk Management Programs That Actually Work.”

Compilation of Risk Assessment Guidelines from Various Regulatory and Compliance Entities

The Cyber Risk Management Workgroup has now published a compilation of risk assessment guidelines from various regulatory and compliance entities intended to be used as an overview for practitioners.

Regulatory/Compliance Risk Assessment Overview for FAIR Practitioners

Attached is the Cyber Risk Management Workgroup Deliverable "Regulatory/Compliance Risk Assessment Overview for FAIR Practitioners"

The Road to Cyber Risk Maturity - 2018 Risk Management Maturity Benchmark Survey Report

Our second annual Benchmark Survey Report to provide insights into the current state of the industry and how best to move forward.

Video: 2018 Risk Management Maturity Benchmark Survey Results Webinar

Video: 2018 Risk Management Maturity Benchmark Survey Results Webinar

Wheel of Fire Hits Stack - A New Way of Visualizing Effective Risk Management

"We need effective risk management to make well-informed decisions and we need effective risk management to measure those decisions and, over time, sometimes a relatively short time, to challenge the status quo as our environments change and as we know and understand more.

Jack Jones Managing Cybersecurity Surprises - the Executives Perspective

“Executives hate surprises” begins a new white paper, Managing Cybersecurity Surprises – the Executive’s Perspective, by FAIR model creator Jack Jones, and goes on to detail the four most likely reasons that organizations get blindsided by cybersecurity failures:

Presentation: Key Risk Indicators: A Quantitative Approach

Panel: How to communicate the value of FAIR to internal and external stakeholders

Attached is the Cyber Risk Management Workgroup Deliverable "Regulatory/Compliance Risk Assessment Overview for FAIR Practitioners"

Conference Keynote: The Next Frontier in Risk Management - Jack Jones

Dealing with Ransomware: pay the ransom or pay more by dealing with the consequences?

Keynote: A Risk Committee Chair’s View of ERM and Cybersecurity Oversight - James Lam

Using FAIR to Optimize Your Cyber Insurance Coverage

Reporting to the Board: What got you here, won't get you there Omar Khawaja

Presentation: Catastrophic Risk Modelling

Panel: Shifting the Discussion to Cost-Effective Decision Making

How to get the Buy-In for a quantitative risk management program

FAIR & TBM: Standards together for Managing Tech. and Risk from the Business Perspective

Case Study: Extending FAIR to manage Operational Risk

Awards Luncheon

Panel/Discussion: Bridging the Gap Between the CISO & the CRO

Technical Advisor, RiskLens Sponsored Webinar

Seasoned risk consultant and FAIR expert, Rebecca Merritt, of RiskLens will share her personal path to enlightenment (read: FAIR model!) as a former IT Auditor for a Big 4.

Information Overload - How much do boards really need to know about cyber risk

Slide presentation from Jack Jones on how to better communicate to Boards.

Industrial Company Assesses Ransomware Threat - Sponsored by RiskLens

This case study is designed as a scenario that would help to inform management about the significance of an emerging risk, such a ransomware.

Financial Institution Prepares for GDPR and NYDFS Regulations Using RiskLens - Sponsored by RiskLens

A global banking and financial services holding company with over $300B in total assets is preparing for the upcoming European Union General Data Protection Regulation (GDPR) and New York Department of Financial Services (NYDFS) cybersecurity regulations.

Financial Institution calculates Risk Exposure in Moving to Office 365 - Sponsored by RiskLens

A financial services institution with $10B in total assets was trying to determine if a move to Office 365 from their internally hosted Exchange Server made sense for the organization.

Healthcare Supplier Uses RiskLens to Identify Business Continuity Strategy - Sponsored by RiskLens

A large healthcare supplier serving more than 150 million Americans operated a key fulfillment facility in an area threatened by natural disasters.

Manufacturing Company CISO Confidently Justifies IP Protection Project - Sponsored by RiskLens

The CISO at a global manufacturing company with $50 billion in revenue faced an all-too common problem: intellectual property (IP), critical to their success and position in their market, was scattered throughout the organization, exposing them to grave occurrences of IP ex-filtration.

Video: 2017 Risk Management Maturity Benchmark Survey Results Webinar

Our first annual Benchmark Survey Report and Webinar provide insights into the current state of the industry and how best to move forward.

Where Do We Go From Here? 2017 Risk Management Maturity Benchmark Survey Results Report

Our first annual Benchmark Survey Report and Webinar provide insights into the current state of the industry and how best to move forward.

Improving Risk Decisions

This article will provide insight into the factors that drive risk decisions, the role of business management and security experts in decision making, as well as the information that’s necessary in order to make well-informed risk decisions.

The Failure of GRC

In this white paper, Jack Jones shares five reasons why many organizations are, at best, realizing only one of many important objectives.

Effectively Leveraging Data in FAIR Analyses

With the advent of FAIR, organizations finally have a model that enables effective cyber risk measurement. As a result, this document will provide guidance and examples to help organizations improve their FAIR-based risk analyses using these data sources.

A Clarification of "Risks"?

People in the risk management profession routinely use the word “risk” in different ways. Although this may be fine in a non-professional setting, it presents significant challenges in terms of our ability to accurately and efficiently identify, measure, and communicate about risk.

How You Prioritize, Matters

This paper describes at a high level a comparison of the relative efficacy of prioritizing risk remediation activities using qualitative versus quantitative methods.

Cost-Benefit of Implementing Credit Card Database Tokenization

Review a case study on how much credit card number tokenization can reduce the risk associated with the card datastore.

A Risk-Based Approach for Information Security and Fraud Analytics

Review a Big Data Case Study on Using a Risk-Based Approach for Information Security and Fraud Analytics.

Learning Institution Assesses Best Architecture To Secure Cloud App

Understand how much risk is associated with different security encryption strategies related to cloud data.

Cyber Risk Management Maturity

This document describes a more fundamental approach to defining and evaluating cyber risk management maturity.

Mapping NIST CSF & FAIR - Slides from the Data Utilization Workgroup Call (11/08/2017)

Join Jack Jones as he explains how NIST CSF and FAIR act as complements to one another.

Root-Cause Analysis - Break Out of Ground Hog Day

Applying Root Cause Analysis to a portfolio of issues can help identify and resolve systemic issues within your organization.

The FAIR Model

Download the internationally recognized standard FAIR model.