Reconsidering Risk: Reflections on the 2018 FAIR Conference
The rapidly evolving cyber threat landscape has prompted experts from various industries to attend the annual FAIR Conference, which brought together risk leaders to explore best practices using the Factor Analysis of Information Risk (FAIR) Model. Returning from FAIRCON 2018, Evolver’s Cybersecurity Consultant, Ed Peck, shares his opinions on a few of the most impressionable trends and discussions.
FAIR has reached a new state of maturity
First, I’d be remiss in not mentioning the noticeable growth of FAIR practioners and those interested in learning more about FAIR. It’s clear that the FAIR methodology has seen a “maturity growth spurt” in the subjects of this year’s presentations and discussions. Whereas last year’s conference discussed how best to implement FAIR and to convince management it was the best way to go forward, this year a lot of the topics dealt with suggestions on how to communicate results to the Board of Directors. In one short year, we went from “how can we get this in my organization?” to “how can I best explain the results to the Board?”
This dynamic brings me to the two most impactful speakers for me at this year’s FAIRCON: Mr. James Lam (Director, Chairman of the Risk Oversight Committee, E*TRADE Financial; Independent Director, RiskLens) and Mr. Jack Jones (Chairman, The FAIR Institute, EVP R&D, RiskLens).
Mr. Lam was the Day 2 Keynote Address, A Risk Committee Chair’s View of ERM and Cybersecurity Oversight, and it was an engaging presentation on how Boards of Directors view risk, cybersecurity, and what type of metrics they find most useful. That alone was worth listening to, but what really got me thinking was his definition of risk. Risk is a variable that can cause deviation from an expected outcome, or more simply stated, “Risk is a distribution curve.”
As Mr. Lam went on to describe: the middle of the curve represents anticipated results, while the two tails represent the downside of risk (low end) or the upside of risk (high end).
Wait, there’s an upside to risk?
Speaking for myself and other cybersecurity professionals I’ve dealt with, risk always had a negative outcome associated with it. If we don’t fix this risk, these bad things could happen. But Mr. Lam explained that when you combine risk with business goals, there is an upside or beneficial component of risk.
He also brought up the scenario of a cybersecurity professional explaining to a Board of Directors that, “yes, we recommend increasing the cybersecurity risk of this project because it aligns with the company’s strategic risk goals”. I almost fell out of my chair! Cybersecurity is supposed to be doom and gloom, stopping or significantly slowing down risky projects, and protect, protect, protect. We don’t advocate increasing risk! To me, that was another preconceived cybersecurity truth I had to reconsider. Which leads me to the next speaker I mentioned, Mr. Jack Jones.
System 1 vs. System 2 thinking
For those unfamiliar, Mr. Jack Jones is the godfather of the FAIR movement. One of the jokes spoken at the conference was that, “this is not supposed to be the Cult of Jack.” That’s how important he is to FAIR. While his talks and speeches are always enlightening (I highly recommend visiting the FAIR Institute webpage and viewing his videos), one of his points this year was the System 1 vs. System 2 thinking as described in Daniel Kahneman’s book, Thinking, Fast and Slow.
I was unfamiliar with this concept, so it propelled me to read Kahneman’s book, but essentially System 1 is fast, instinctive, and emotional thinking; while System 2 is slower, more deliberative, and more logical.
My System 1 way of thinking scoffed and dismissed Mr. Lam’s notion of a cybersecurity professional ever agreeing to increase cyber risk. But I paused, then let my System 2 mind start to work through what was being said, and came to realize that we as a profession should be comfortable and willing to make such a statement.
Cybersecurity is not some segregated department in the enterprise, it’s an important and integrated component of achieving stated business goals. If the current business goal is to be a technology leader, then cybersecurity should help achieve short-term risky entry and then work on ways to provide more security products and/or services. And, as Mr. Jones emphasized, FAIR is instrumental in cybersecurity professionals moving from System 1 to System 2 thinking. No longer do I instinctively assign red status to a finding, but I deliberately evaluate the finding through the FAIR framework.
I will conclude my thoughts with one more Mr. Lam point. In the 1980’s and 1990’s, Credit Risk and Market Risk was thought to be non-quantifiable and no way could there ever be any tools to help understand it. This is the same argument I hear today about cyber risk. Just as earlier forms of risk were quantified and tools developed to analyze them, so too can cyber risk be measured, analyzed and communicated.
Ed Peck, Cybersecurity Consultant, Evolver
Ed has lived and breathed cybersecurity for almost 20 years as a professional information security provider. Ed’s current role at Evolver, a Converged Security Solutions company, connects him face to face with the customer – and their data. His FAIR analyst certification means he knows which sets of data are the most valuable, can determine the amount of monetary risk an organization has based on the way it handles its data, and can make recommendations about each. He is CISSP-ISSEP certified and is an instructor for George Mason University’s Essentials of Factor Analysis of Information Risk (FAIR) Course.