“Two years ago, the talk was about ‘Can you quantify risk?’
“Last year, it was about ‘Should you do it?’
“This year, it was ‘How do you do it?’”
That’s Jack Jones, RiskLens Chief Risk Scientist and creator of the FAIR model for cyber risk quantification, talking about the RSA Conference 2019, held last week in San Francisco. Take it from Jack, who has been to a lot of RSACs over the years as a lonely voice for risk-based cybersecurity – he recognizes a breakout change in the profession when he sees it and judging by the sessions and the buzz on the floor, this year marked a real shift.
“This was the most engaged crowd we’ve seen,” added RiskLens CEO Nick Sanna. “The market has definitely matured.”
Let’s start with the recognition given the FAIR Institute, the non-profit that promotes the use of FAIR, at the SC Awards held in conjunction with RSAC.
The Institute was recognized with a special award as one of the three Most Important Industry Organizations of the Last 30 Years, a nod to the Institute’s rapid growth in just three years: Nearly 30% of the Fortune 1000 companies are now represented among 4,000-plus members. (RiskLens is the technical adviser to the FAIR Institute.)
More signs of change:
Keynote Address: The Future Will Be Quantified
The conference kicked off with a keynote address by RSA President Rohit Ghai and cybersecurity consultant Niloofar Razi Howe (photo above), on a theme of looking back at today from 30 years in the future. Niloo’s forecast sounded like a page taken from the FAIR playbook, with its focus on “loss events” with a frequency and impact:
“As the concept of the perimeter evaporated…cybersecurity practitioners managed risk not only by understanding the likelihood of a potential loss event but more importantly by understanding the business impact of these events in order to take a risk orientation and protect what matters most.”
Lots of FAIR on the RSA Conference Speaker AgendaFAIR practitioners led a number of sessions at the conference – not only Jack’s talk on defining a cyber risk appetite but Marta Palanques and Steve Reznik of ADP on using FAIR to set key risk indicators, Evan Wheeler of Financial Engines on quantitative risk analysis for data breaches and Jack Freund of TIAA on a FAIR-based approach to pen testing.
FAIR Institute's Breakfast of FAIR Champions
The annual FAIR Institute Breakfast was a case in point for Jack’s observation that this is the year of ‘How do you do it?’ A panel of experienced FAIR security leaders – Steve Reznik of ADP (photo), Jack Freund of TIAA, Omar Khawaja of Highmark Health and Chris Porter of Fannie Mae – talked hands-on techniques and results of adopting FAIR in their organizations to an appreciative audience that, judging by the questions, had clearly moved up from “Can it be done?”.
Best Attended FAIR Training Course
Based on increased demand, the RiskLens Academy ran a two-day FAIR analysis training course ahead of RSAC for the first time. Sample comment from the end-of-class survey: “I have been doing risk management for more than 5 years and this course has changed the way I will talk about risk going forward.” And here’s an indication of things to come: A number of students were from the big accounting/business consulting firms, who said they were there in response to customer demand for FAIR analysis services.
Risk Quantification Wannabes on the Exposition Floor
In other sign of change, vendors are now piling on to promote “risk quantification” solutions. RiskLens President Steve Tabacek said “Everyone’s talking quantification but as I walked the vendor floor, they are quantifying ordinal scales, based on vulnerability counts or maturity ratings. Does that qualify as true risk quantification? We wouldn't say so... None of those approaches help organizations quantify risk in financial terms, enable effective prioritization and cost-effective decision making."
RiskLens Announcements During RSAC Extend Risk Quantification Across the Globe
We announced some important new partnerships around the conference:
- PwC Australia will introduce the RiskLens cyber risk quantification (CRQ) platform to its clients Down Under.
- Wipro, the global IT consulting firm based in Bangalore, India, will train its consultants on FAIR and offer the CRQ platform worldwide.
- Rsam, one of the leaders in GRC (governance, risk and compliance) now integrates the RiskLens platform with its solution.
What drove this change in focus at RSAC19?
In Jack’s opinion, “the community around FAIR has gained in size and is pretty vociferous. That lends credibility but beyond that, most people who think hard about this problem space know that it’s not what it could be in terms of efficacy. If something is on the horizon that offers a glimmer of hope, they are primed to jump on it and if it checks out, their attitude is hell, yeah, this can be done. And that’s the stage we’re at.”