View from RSAC 2018: Risk Quantification Goes Mainstream

Many signs of hope (and hype) at the recent RSA Conference that the cybersecurity profession is maturing toward the risk-based discipline that already drives RiskLens customers…from RSA President Rohit Ghai name-checking the FAIR model that powers RiskLens in his keynote speech – and saying that “cyber risk quantification is a hot field”…to RSA Archer showcasing its white-label version of the RiskLens cyber risk quantification solution…to an expo hall where vendors were busy rebranding their products as “risk platforms.”

Our Bryan Smith, Chief Technology Officer & Vice President of Product, and Jack Jones, RiskLens Co-founder and creator of FAIR, attended RSAC18 (Jack gave three talks) and came away with these impressions:

Bryan’s take:

“What can a year do? It can move a concept from acceptance to everyday practice. That’s what I observed this year’s RSA Conference. FAIR and cyber risk quantification are no longer mere concepts, they are everyday practices. Practices that are being applied to an increasing number of problems.

“In years past you would be lucky to see a single session on cyber risk quantification, let alone for broader IT risk. But this year there were many sessions on the subject and across a diverse set of situations. And to drive this home this year included prime time keynote coverage. My favorite was the call for the industry to stop looking for magic silver bullets and move to risk aligned security.

“Judging by the sessions, FAIR and risk quantification are transforming our industry. They are enabling clear and concise decisions in risk management. Risk metric programs are being enabled to inform the business in exciting new ways. Which in turn provide a feedback loop to risk management. Even ancillary security operations are now applying these techniques to transform their management. SecOps and DevSecOps will never be the same.

“It is clear organizations are hungry to take risk quantification to the next level. Many sessions and sidebar discussions were around data. And as before progress is being made here as well. The conversation is no longer about “I have no data” but instead it’s “I’m using data in new ways”.

“I’m confident that this trend is going to grow. There is a hunger from the audience to hear more pragmatic applications. To share best practices and inform each other. In short, I’m looking forward to next year’s RSA Conference.”

Jack added:

“Now that there’s beginning to be broad recognition and acceptance of the risk-based imperative, the inevitable next question that comes up is:  “How does an organization become risk-based in how it manages the cyber landscape?”  Answering this question begins with measuring cyber risk quantitatively, at scale, securely and cost-effectively.

“Today, the RiskLens (and RSA) Cyber Risk Quantification solution is the only enterprise-class risk product on the market, with numerous successful customer implementations.

“However, as with any sea-change in a market, vendors will rise to the call for products in this space.  This is both good news and bad news.

“The good news is that it will provide the usual benefits of market competition.  The bad news is that some of the solutions that arise won’t actually measure risk at all, despite their claims, or will measure risk inaccurately.  This can significantly diminish the progress we’ve begun to make as a profession, as it can lead to dangerous risk management decisions within organizations.

“The bottom line is that our profession needs to set a high bar for vendors in this space.  There’s simply too much at stake.”