Webinar: Scaling a FAIR-Based Cyber Risk Management Program at Netflix

Get a look into the very active quantitative risk management program at RiskLens client Netflix – watch this webinar with Tony Martin-Vegue, Senior Information Risk Security Engineer, a longtime FAIR™ practitioner, who’s overflowing with actionable advice at establishing, socializing and running quantitative cyber risk management using FAIR with RiskLens. Joe Vinck, Strategic Account Executive for RiskLens, interviewed Tony.

Fill out the form at the bottom of this page to watch the webinar. 

You’ll want to watch this webinar through (and take notes) but here are some samples: 

On getting started with a quantitative risk management program: 

Tony found his first internal clients by looking for teams that had recently made security investments and offering to run a cost benefit analysis to see if it was working. “I have never had anybody turn me down.”

His second tactic: helping to clean up risk registers in the company. “We started with the big list of risks that everybody has” (audit findings, pen test findings, etc. ) “and normalized it” by finding the asset in question, creating a risk scenario, then performing risk quantification to come up with a ranked list.

On running risk analysis to support decision-making:

Tony’s team at Netflix always runs multiple analyses; first, a baseline of current loss exposure, then others modeling addition or reduction of controls. “What we really want to know is when it doesn’t work. Then you have a chance to course correct. If we didn’t have FAIR, it could be costing us more than it was worth, and we would never know.”

“The biggest business value that we have found so far is the ability to compare. It seems so simple but it’s elusive in many programs.”

On prioritizing risk themes for analysis:  

Analysts can get “overwhelmed by the sheer number of risks coming in” so, even before FAIR analysis, Tony’s group buckets the risk by tiers.

Tier #1 is for C-level and the board, covering strategic, existential risks or risks that persist over the years.

Tier #2 is for middle management, tactical risks relating to the platform or technology, emerging threats or budgeting, all with an emphasis on return on investment for security.

Tier #3 covers operational risks geared to security architects, engineers, pen testers or red teamers – for instance, for prioritizing pen test results for mitigation.

On the value of RiskLens for Netflix

Among the many values of RiskLens to Netflix, Tony picked as the first convenience the platform’s “data helpers”. “RiskLens allows us to save data from every analysis – credit monitoring or response costs, probability of ransomware attack or credit card leakage. Next thing you know you have 200 risk analyses under your belt and you’re really not doing a lot of new research.”

Among other topics Tony covers:

  • Explaining FAIR to colleagues from different disciplines
  • Tips on best practices for gathering frequency and magnitude data from internal and external sources.
  • How to put a price on reputation loss.

Fill out this form to watch the webinar: 

Get a look into the very active quantitative risk management program at RiskLens client Netflix – watch this webinar with Tony Martin-Vegue, Senior Information Risk Security Engineer, a longtime FAIR™ practitioner, who’s overflowing with actionable advice at establishing, socializing and running quantitative cyber risk management using FAIR with RiskLens. Joe Vinck, Strategic Account Executive for RiskLens, interviewed Tony.

You’ll want to watch this webinar through (and take notes) but here are some samples: 

On getting started with a quantitative risk management program: 

Tony found his first internal clients by looking for teams that had recently made security investments and offering to run a cost benefit analysis to see if it was working. “I have never had anybody turn me down.”

His second tactic: helping to clean up risk registers in the company. “We started with the big list of risks that everybody has” (audit findings, pen test findings, etc. ) “and normalized it” by finding the asset in question, creating a risk scenario, then performing risk quantification to come up with a ranked list.

On running risk analysis to support decision-making:

Tony’s team at Netflix always runs multiple analyses; first, a baseline of current loss exposure, then others modeling addition or reduction of controls. “What we really want to know is when it doesn’t work. Then you have a chance to course correct. If we didn’t have FAIR, it could be costing us more than it was worth, and we would never know.”

“The biggest business value that we have found so far is the ability to compare. It seems so simple but it’s elusive in many programs.”

On prioritizing risk themes for analysis:  

Analysts can get “overwhelmed by the sheer number of risks coming in” so, even before FAIR analysis, Tony’s group buckets the risk by tiers.

Tier #1 is for C-level and the board, covering strategic, existential risks or risks that persist over the years.

Tier #2 is for middle management, tactical risks relating to the platform or technology, emerging threats or budgeting, all with an emphasis on return on investment for security.

Tier #3 covers operational risks geared to security architects, engineers, pen testers or red teamers – for instance, for prioritizing pen test results for mitigation.

On the value of RiskLens for Netflix

Among the many values of RiskLens to Netflix, Tony picked as the first convenience the platform’s “data helpers”. “RiskLens allows us to save data from every analysis – credit monitoring or response costs, probability of ransomware attack or credit card leakage. Next thing you know you have 200 risk analyses under your belt and you’re really not doing a lot of new research.”

Among other topics Tony covers:

  • Explaining FAIR to colleagues from different disciplines
  • Tips on best practices for gathering frequency and magnitude data from internal and external sources.
  • How to put a price on reputation loss.

Let's Talk about Your Cyber Risk in Business Terms

RiskLens is leading a revolution in the way cyber risk is assessed, measured and managed by bringing to market a Software as a Service solution that makes cyber risk quantification a reality.We help organizations translate cyber risk from the technical into the economic language of business.

Schedule a Demo