New Book: Fintech Growth and Deregulation

A new book I had the pleasure of editing, along with Diane Maurice and David Fairman, has been recently released. I received my copies today and I’m very happy with the results. This was an interesting project to work on and a problem space that is very modern and moving fast. I was very pleased with the authors I got to work with (Tony Martin-Vegue and Patrick McConnell). They did a great job covering their perspective of the topic (Quantification and Governance).

You can pick up a copy here.


Accepted at RSA – Quant Risk Implementation

I’m very pleased to announce that my proposal was accepted for this year’s RSA Conference! I’ll be giving an overview of the quantitative risk framework I’ve implemented at my firm, TIAA.

I’ll be speaking Wednesday morning (April 18th) in the Security Strategy Track as an Advanced Topic.

Here is the abstract:

This session will review the Cyber Risk Framework implemented by TIAA that scales from the granular level up to business-level aggregate risk reporting, avoiding some typical pitfalls by avoiding being too narrow or broad. Included in this session are discussions about policy, standards, configuration baselines, quantification, ORM/ERM risk reporting, and project lifecycle engagement. 

FAIR plays a big part in our framework, so you can be sure to have your questions answered about how to implement FAIR in your organization.

Lowest Common Risk Denominator

I tackle the notion of risk appetite in this month’s column using some metaphors with which you might be familiar. You don’t get to pick your auto insurance coverage by expressing the number of accidents you are willing to accept, yet that’s how a lot of organizations think about cyber risk. Fortunately, the cyber insurance industry is going to force us all into thinking about risk in dollars, the same as everyone else, because that is the lowest common risk denominator.

You can read more here.

Smart Contracts

I was interviewed for, and quoted in, this ISACA publication around Smart Contracts.

Upon reflection, what we are really seeing is just a continuation of the concept of Code = Law as pointed out by Lawrence Lessig in his 1999 book, Code and Other Law of Cyberspace.

The Smart Contracts doc is a free download (after registration) and can be found here:


Cyber Deterrence

I was reading up on cyber deterrence today and ran across this little gem in relation to nuclear deterrence:

Because of the value that comes from the ambiguity of what the US may do to an adversary if the acts we seek to deter are carried out, it hurts to portray ourselves as too fully rational and cool-headed. The fact that some elements may appear to be potentially “out of control” can be beneficial to creating and reinforcing fears and doubts within the minds of an adversary’s decision makers. This essential sense of fear is the working force of deterrence. That the US may become irrational and vindictive if its vital interests are attacked should be a part of the national persona we project to all adversaries.

–Essentials of Post Cold War Deterrence (1995)