Webinar: Scaling a FAIR-Based Cyber Risk Management Program at Netflix

By Jeff B. Copeland | September 17, 2020


Get a look into the very active quantitative risk management program at Netflix, a RiskLens client – watch this webinar with Tony Martin-Vegue, Senior Information Risk Security Engineer, a longtime FAIR™ practitioner, who’s overflowing with actionable advice at establishing, socializing and running quantitative cyber risk management using FAIR with RiskLens. Joe Vinck, Strategic Account Executive for RiskLens, interviewed Tony.

You’ll want to watch this webinar through (and take notes) but here are some samples: 

On getting started with a quantitative risk management program: 

Tony found his first internal clients by looking for teams that had recently made security investments and offering to run a cost benefit analysis to see if it was working. “I have never had anybody turn me down.”

His second tactic: helping to clean up risk registers in the company. “We started with the big list of risks that everybody has” (audit findings, pen test findings, etc. ) “and normalized it” by finding the asset in question, creating a risk scenario, then performing risk quantification to come up with a ranked list.

On running risk analysis to support decision-making:

Tony’s team at Netflix always runs multiple analyses; first, a baseline of current loss exposure, then others modeling addition or reduction of controls. “What we really want to know is when it doesn’t work. Then you have a chance to course correct. If we didn’t have FAIR, it could be costing us more than it was worth, and we would never know.”

“The biggest business value that we have found so far is the ability to compare. It seems so simple but it’s elusive in many programs.”

On prioritizing risk themes for analysis:  

Tony-Martin-Vegue-Netflix-RiskLens-150x150-1Analysts can get “overwhelmed by the sheer number of risks coming in” so, even before FAIR analysis, Tony’s group buckets the risk by tiers.

Tier #1 is for C-level and the board, covering strategic, existential risks or risks that persist over the years.

Tier #2 is for middle management, tactical risks relating to the platform or technology, emerging threats or budgeting, all with an emphasis on return on investment for security.

Tier #3 covers operational risks geared to security architects, engineers, pen testers or red teamers – for instance, for prioritizing pen test results for mitigation.

On the value of RiskLens for Netflix

Among the many values of RiskLens to Netflix, Tony picked as the first convenience the platform’s “data helpers”. “RiskLens allows us to save data from every analysis – credit monitoring or response costs, probability of ransomware attack or credit card leakage. Next thing you know you have 200 risk analyses under your belt and you’re really not doing a lot of new research.”

Among other topics Tony covers:

  • Explaining FAIR to colleagues from different disciplines
  • Tips on best practices for gathering frequency and magnitude data from internal and external sources.
  • How to put a price on reputation loss.

Fill out the form below to download the webinar: