I was humbled this week when I was awarded the FAIR Champion award from the FAIR Institute at their annual conference last week at Carnegie Mellon in Pittsburgh, PA.
Jack Jones has created this extraordinary thing in FAIR and it is and will continue to do nothing less than revolutionize our industry. That he decided to share even a little bit of that with me by coauthoring the FAIR book is so incredibly humbling. It’s a gift that I will treasure for the rest of my life.
That I have been good in any way in building risk programs is due entirely to his teachings and mentoring early in my life and I am so incredibly grateful.
One of the best things about the FAIR Institute is the culture of giving back and during my acceptance I offered to anyone that I’d be happy to help them through their journey to risk quantification. I’ll do that again here: if you need support, tips, or just a sympathetic ear while building your risk program, please do reach out. I’d be happy to help :-)
I was inspired to write this article by a change in the speed limit that happened on a local Interstate. It was a good jumping off point to illustrate the parallels between speed limits and risk appetite and what it takes to change each.
You can read the article on the FAIR Institute website here.
I had a great time writing this post for the FAIR Institute. I was inspired by post-doc David Levari of the Harvard Business School’s article in The Conversation called Why Your Brain Never Runs out of Problems to Find. In it he talks about how our brains have a sliding scale of what “badness” is over time and how something will always occupy the spot of “badness” even when its not that big of a deal. In my write-up, I apply that to cybersecurity and include some pointers for FAIR practitioners.
You can read my latest FAIR Institute post here.
I was very fortunate to have the opportunity to share my thoughts on KRIs last week on The FAIR Institute’s website. I used the metaphor of Sentinel Species (think canaries in coal mines) to serve as an indicator of risk, but not of risk itself. That important distinction is one that I strongly feel is a difference we aren’t making in our identification and use of KRIs.
You can read the full article here.