I was very honored to have had the chance to share my quantitative cyber risk journey with the broader security community last week at the RSA Conference. My session had over 100 people in attendance (quite a feat at 8AM on a Wednesday!) and the questions and followups were so good they lasted until we were kicked out of the room. The book signing afterwards caused the bookstore to sell out of copies of Measuring and Managing Information Risk.
I shared some more thoughts on the conference with the FAIR Institute here (where you can also read thoughts from other FAIR practitioners). Lastly, my session slides are available here. Be sure to reach out if you are interesting in learning more; I’ve already had one follow-on session with someone who was unable to attend.
I’m very pleased to announce that my proposal was accepted for this year’s RSA Conference! I’ll be giving an overview of the quantitative risk framework I’ve implemented at my firm, TIAA.
I’ll be speaking Wednesday morning (April 18th) in the Security Strategy Track as an Advanced Topic.
Here is the abstract:
This session will review the Cyber Risk Framework implemented by TIAA that scales from the granular level up to business-level aggregate risk reporting, avoiding some typical pitfalls by avoiding being too narrow or broad. Included in this session are discussions about policy, standards, configuration baselines, quantification, ORM/ERM risk reporting, and project lifecycle engagement.
FAIR plays a big part in our framework, so you can be sure to have your questions answered about how to implement FAIR in your organization.