Accepted at RSA 2019 – Virtual Pen Testing

I’m very pleased to announce that I’ve been accepted to speak again at next year’s RSA Conference. I’m going to be presenting on an Agent Based Model concept using FAIR risk results jointly with my colleague Joel Amick. Joel’s team and my team worked to develop a POC of this work and we can’t wait to share what we developed with you in March!

Here are the details of the session; please be sure to save it to your agenda!

RedZone Podcast about Risk Forecasting

Bill Murphy‘s interview with me for his RedZone podcast was posted today. I had a great time talking with Bill about risk, FAIR, and forecasting. You can find the podcast here. It was a great discussion, and Bill was a very gracious host. His entire podcast series is worth subscribing to: he interviews some really interesting people who bring a diverse view to risk and security. I enjoyed listening to him interview my friend Jack Jones but I also enjoyed his recent discussions with Zach Schuler. Be sure to check them out.

Risk Forecast Accuracy at Cyber Risk NA

I’m pleased to announce that I have been asked to present at the Cyber Risk North America conference on 15-16 March in NY. Its offered in conjunction with OpRisk North America where I presented last year.

I will be presenting on the theme of assessing quality using Risk Forecast Accuracy (a topic that was the subject of our article in the February ISSA Journal). Come for a great session on the practical approach of creating and measuring the accuracy of the rating tables for your organization. I’m scheduled to speak on the second day at the 11:40AM session.

Risk Forecast Accuracy – Feb ISSA Journal

In this month’s ISSA Journal, my colleagues and I wrote about Risk Forecast Accuracy. This is a practice that all mature risk functions should pursue and we offer an approach that is relatively straightforward and practical in its application.

If we accept that risk is a statement about the future, then its important to also measure how well we did at forecasting these bad things. Its a job that requires staying up to date on what is happening in the industry and to what extent it will apply to your specific organization. It provides not only a good measure of how well you did, but also a foundation upon which you can base what your risk should be going forward.

Risk work is never complete; continuous improvement should be our goal. Embrace being incomplete.