What’s the probability of a conference of risk managers being snowed out two years in a row? Pretty good, it turned out: The Cyber Risk North America Conference (CRNA) in New York was rescheduled last year due to a blizzard, and this week, it made it through a day and a half before organizers had to call it off early for another storm.
Before slip-sliding their way home, conference attendees were a high-energy crowd, with a notable increase of C-suiters over last year.
Here are some of my takeaways from the conference:
1. This year, they were talking about cyber risk quantification like it can be done.
Over the years, we’ve watched an evolution on conference panels, with quantification off the radar then on the radar. At first it was addressed as more pie in the sky, but now has a serious tone of acceptance that cyber risk can be expressed in financial terms using Value at Risk (VaR) modeling, driven by some urgent direction from the C-suite and the board.
The “CISO of 2020” should have cyber VaR in their toolkit, said panelist Thomas Kartanowicz, Head of Information Security, Natixis CIB Americas, the corporate and investment banking firm. “We need to become more like credit risk and market risk and stop being the poor stepchild in the room.”
Kartanowicz probably spoke for many at the conference, when he added these doubts: “When we talk about risk quantification, we are still in the realm of the risk matrix. Precision is very difficult, and it is a challenge that we face as an industry. It is tough to have enough data to quantify the risk.”
But Jack Jones, co-author (with Jack Freund) of the bible of cyber risk quantification, Measuring and Managing Information Risk: A FAIR Approach, and EVP at RiskLens, was also on hand as speaker to walk the audience through the facts of quantification:
“Can cyber risk be quantified? Of course! When people think about quantifying risk who aren't in the profession of quantifying risk, they think we're supposed to quantify it precisely which is a pipe dream. Precise quantification of risk in our problem space won't happen in my lifetime.”
Even with weak data, the FAIR model can output risk as a distribution of possible outcomes. “You can still have an accurate measurement, it’s just going to be a wider, flatter distribution,” said Jones, which is in itself a conversation starter with management about the need for better data.
Manan N. Rawal, Head of US Model Risk Management for HSBC USA, the American subsidiary of the big UK bank, agreed: “The articulation has got to be: what is the uncertainty of your quantification estimate? What is the likely outcome if you don’t do anything?” By showing the landscape in quantified terms, risk managers will “generally get more proactive engagement”.
2. Consensus is growing that terminology in the cyber risk profession needs to be normalized.
One of the benefits of the FAIR approach is aligning all parts of the business around a common vocabulary for discussing risk – and several speakers hit on the Tower of Babel problem in risk management communication. “We’ve tried to bring information security more in to the risk world and normalize terminology,” said Michael J Abriatis, Executive Vice President, Chief Operational Risk Officer, PNC Bank. “If operational risk is speaking a different language than audit, that’s a red flag. We should speak the same language but not have the same topics.”
“Cyber is a complex domain, and if you don’t talk the same taxonomy, it could confuse stakeholders,” said Henry Jiang, Head of Cyber Risk, Societe Generale.
Aengus Hallinan, Managing Director, Group Operational Risk Management and Business Continuity for Credit Suisse, tied it up neatly when he said that quantification could be “the Rosetta Stone” for risk communication throughout the organization.
3. Cyber risk is looking more like operational risk. And that’s good for cyber risk.
Hallinan made the case for operational risk as the intersection point for cybersecurity and risk management – and not just for those reasons of shared communication. He urged infosecurity types to “build a coalition of the willing” with the existing risk decision making bodies in the organization. “Frankly, IT operating committees are technologists and that’s a problem.” He urged IT security to move closer to Risk – “these people can make decisions, and you shouldn’t create a parallel universe for cyber.”