FAIR Breakfast Meeting During RSAC20 - Building Effective Cyber Risk Management Programs that Work
Video with Slides | Thought Leadership
All slide decks are attached for download below.
Key Points from Jack Jones and CISOs on Adopting FAIR
Jack was joined by CISOs Mark Tomallo of Ascena Retail Group and Christopher Porter of Fannie Mae for a ground level view of introducing and fostering cyber risk quantification in a large organization. “It’s a change management exercise,” Jack said. “You’re changing the way people perform their jobs and make decisions…It’s a bit of a minefield but there are ways to navigate it.”
Jack identified the two biggest change management obstacles are attitudes that quantification is “too difficult” and the usual, subjective approach to risk analysis is “good enough”. In fact, “there’s no advantage to doing really easy risk management” which may seem to be “no cost up front but all the cost comes later” when unanticipated losses hit.
Jack laid out a roadmap for FAIR adoption that starts with the “Why”, the result of conversations with stakeholders to discover the pain points in the organization. “If you understand the obstacles and pain points, you can choose a starting point that can vastly improve your outcomes.” Then launch your program with the idea that “it’s a continual evolution.”
Chris Porter, CISO, Fannie Mae - FAIR Institute Breakfast Meeting during RSAC20
Chris gave examples of how FAIR revealed insights for cost-cutting that went beyond bread-and-butter decisions on comparing cybersecurity controls. Fannie Mae was able to reduce its exposure to potential data breach credit monitoring and notification costs by changing contracts to eliminate holding Social Security numbers and reduce its cyber insurance premiums by fine-tuning the policy to avoid over-paying for lower risks.
Mark Tomallo, CISO, Ascena Retail - FAIR Institute Breakfast Meeting during RSAC20
Mark described a well thought-out plan to engage different stakeholders, starting with switching to FAIR nomenclature in all risk conversations, involving SME’s and line-of-business owners to create loss tables, gathering top risks lists from VPs, running FAIR analyses in stealth mode and exposing results to stakeholders when it serves their interests. Mark said he knew he was succeeding when he turned back a finding from audit on a “material weakness” over default passwords that, under FAIR analysis turned out to be a negligible risk.