At a time when cyber/information security risk looms large on the minds of directors and executives, quantitative risk assessments are gaining traction as a way to understand and measure that risk. While the need to measure this risk grows, most organizations are still at a low level of maturity regarding the proper use of risk terminology and risk modeling. Getting support and, more importantly, funding for a quantitative risk management program from IT Security and the Risk Council remains a challenge.
These were some of the revolving themes at FAIRCON18 earlier this month, the annual conference held by the FAIR Institute on October 16 at 17 at Carnegie Mellon University in Pittsburgh, Pennsylvania. (FAIR stands for Factor Analysis of Information Risk.) The FAIR Institute is an expert nonprofit organization dedicated to the discipline of measuring and managing information risk and led by information risk officers, chief information security officers (CISOs) and business executives. Protiviti was a conference and session sponsor, with several of our subject-matter experts attending.
Below, we share some of the key takeaways from the speakers and panel discussions at the conference, outlining the steps toward transforming how companies measure cybersecurity risk.
Quantifying Risk: The Next Frontier in Risk Management
FAIR model creator and FAIR Institute Chairman Jack Jones kicked off the conference with a keynote in which he challenged companies to rethink what “mature” really means when determining an enterprise risk profile. Many companies are still using the old qualitative or expert input method of managing risk and view themselves as a mature organization from an enterprise risk management (ERM) perspective. However, without using a mathematically backed risk analysis, this view of maturity is outdated.
Mr. Jones highlighted FAIR Institute’s 2018 Risk Management Maturity Benchmark Survey as a way to benchmark organizations on their proper use of risk terminology and risk models. Overall findings showed that many companies are still at a low level of maturity of how they quantify risk, but maturity has increased from last year’s survey.
Shifting the Discussion to Cost-Effective Decision Making
Mr. Jones moderated a panel discussion between La’Treall Maddox, Senior Risk Manager at Cisco; Joel Baese, Director, Governance and Decision Science, Information Security at Walmart; and Chris Correia, Vice President, Cyber Security and Risk Compliance of Ascena Retail Group, Inc. The panelists shared the turning point at which they were able to win acceptance for using the FAIR approach in their organizations. Typically, acceptance was won by running pilot projects to showcase the effectiveness of FAIR in making risk-based decisions that are defensible and take emotion out of the process. In all cases, FAIR changed the way the panelists’ organizations thought about risk. Interestingly, some risks that had been considered high in the past turned out to be low-level risks or no risks at all when viewed through the FAIR risk model lens.
Reporting to the Board: What Got You Here, Won’t Get You There
Omar Khawaja, CISO at Highmark Health, addressed attendees on the topic of communicating risk to the board. Mr. Khawaja stressed the importance of establishing credibility with board members, which includes having the confidence to answer “I don’t know” to board-level questions. Of course, such answer must always be followed with the requested information at a later time.
Another point he emphasized was not to overwhelm board members with endless metrics. Highlighting a few key metrics to communicate the direction of the program and top risks to the organization, including the measures taken to reduce them, are all board members need, unless they specifically request additional details.
Finally, CISOs must leverage their relationships and the board-level meetings to educate board members on cybersecurity topics to continue to mature the organization. An effective way to do this is by using cyber-related topics in the news to bring the risks close to home.
Communicating the Value of FAIR to Internal and External Stakeholders
Another discussion panel, moderated by Rachel Slabotsky of RiskLens, featured Greg Rothauser, Senior Information Risk Manager at MassMutual; Allison Seidel, Information Risk Management at PNC; Steve Reznik, Director, Operational Risk Management at ADP; and Brandon Young, Managing Director at Charles Schwab. The panel discussed what is important to communicate and in what terms. Specifically, it recommended the following:
- Rank critical assets based on a single loss event. Each scenario under FAIR creates a loss event. By understanding how much loss, in dollars, is attributed to a particular asset, stakeholders can make better business decisions and communicate them in monetary terms.
- Identify key controls that help mitigate critical risks and establish a mitigation plan based on risk analysis results. Based on the risk analysis results, organizations can look at their cybersecurity controls in place and understand what additional controls are needed.
- Use FAIR to walk regulators through your risk assessment analysis. Since FAIR is measured quantitively and not qualitatively, companies can use their risk assessment analysis to explain to regulators exactly how risks to the organization were derived using mathematical principles as opposed to other, less measurable approaches, such as an expert’s experience.
A Risk Committee Chair’s View of ERM and Cybersecurity Oversight
James Lam, Director, Chairman of the Risk Oversight Committee at E*TRADE Financial, offered his perspective on ERM and cybersecurity in the future, from his position as a board member.
He said that cybercriminals will continue to launch blended attacks that are increasingly sophisticated, audacious and consequential. At the same time, corporate executives and directors will face new regulations with more stringent standards for governance, privacy, security and disclosure. This will raise the demand for better, more actionable reporting from CISOs, with cybersecurity likely to become an integral part of the organization’s ERM, rather than being viewed as a separate area of risk management.
Meeting these demands will require advanced technologies and tools to help companies measure, monitor and manage their cyber risk profile, he said. More cyber risk quantification models will be developed and implemented to measure value-at-risk on an ongoing basis to help companies monitor their cyber risk profiles and evaluate the cost effectiveness of security controls.
Overall, the takeaway message from the conference boiled down to this: Cybersecurity risk continues to increase in magnitude and raise the potential for financial loss for companies, and so the need to accurately measure this risk is imperative. Using FAIR to measure cyber risk quantitatively utilizing a common language is one way to balance these two factors and to benchmark against best practices. It is also the best way to create a mindset of viewing cyber risk from an ERM perspective.
Evan Engelage, Senior Consultant with Protiviti’s Security and Privacy practice, contributed to this content.