I’m very excited to announce that I will be speaking at the Cyber Future Dialogue in two weeks in Davos, Switzerland during the World Economic Forum. This is going to be an amazing opportunity to converse with distinguished leadership from around the world on the necessity of and practical means to operationalize cyber risk quantification and the FAIR risk methodology.
Welcome to 2020!
I kept busy last month, even with the holidays. Here are some updates:
I wrote a piece for ISACA about how much spending is being done in aggregate for cyber security and how we need to rationalize the controls we are spending on.
The FAIR Institute called this my manifesto here :-)
I’m also really excited that my article on Cyber Risk Prospectuses was published over in ThreatPost. I’ve been talking about this topic for about a year now. I’m not a fan of us pretending that we work for companies that won’t get hacked. It’s not if its when and being clear about how long before we expect that loss is important. The FAIR Institute summarized my point succinctly: “Admit you will probably get breached.”
I’m very pleased to announce that I’ve been accepted to speak again at next year’s RSA Conference. I’m going to be presenting on an Agent Based Model concept using FAIR risk results jointly with my colleague Joel Amick. Joel’s team and my team worked to develop a POC of this work and we can’t wait to share what we developed with you in March!
Here are the details of the session; please be sure to save it to your agenda!
The December issue of the ISSA Journal was released and my article on the Future of IT Risk is on the cover. The theme for this month’s Journal is “The Next 10 Years” and I wanted to highlight where I saw the industry going. I begin with a look back on the progress away from ordinal scale, verbal risk labels and project out on where things will go. I cover regulatory, insurance, and customer pressures to quantify as well as outline a path forward where risk quantification can be used as a competitive advantage.
Check it out in your mailbox or read it online now.
I was very honored to have had the chance to share my quantitative cyber risk journey with the broader security community last week at the RSA Conference. My session had over 100 people in attendance (quite a feat at 8AM on a Wednesday!) and the questions and followups were so good they lasted until we were kicked out of the room. The book signing afterwards caused the bookstore to sell out of copies of Measuring and Managing Information Risk.
I shared some more thoughts on the conference with the FAIR Institute here (where you can also read thoughts from other FAIR practitioners). Lastly, my session slides are available here. Be sure to reach out if you are interesting in learning more; I’ve already had one follow-on session with someone who was unable to attend.
I’m very pleased to announce that my proposal was accepted for this year’s RSA Conference! I’ll be giving an overview of the quantitative risk framework I’ve implemented at my firm, TIAA.
I’ll be speaking Wednesday morning (April 18th) in the Security Strategy Track as an Advanced Topic.
Here is the abstract:
This session will review the Cyber Risk Framework implemented by TIAA that scales from the granular level up to business-level aggregate risk reporting, avoiding some typical pitfalls by avoiding being too narrow or broad. Included in this session are discussions about policy, standards, configuration baselines, quantification, ORM/ERM risk reporting, and project lifecycle engagement.
FAIR plays a big part in our framework, so you can be sure to have your questions answered about how to implement FAIR in your organization.
I tackle the notion of risk appetite in this month’s column using some metaphors with which you might be familiar. You don’t get to pick your auto insurance coverage by expressing the number of accidents you are willing to accept, yet that’s how a lot of organizations think about cyber risk. Fortunately, the cyber insurance industry is going to force us all into thinking about risk in dollars, the same as everyone else, because that is the lowest common risk denominator.
You can read more here.