The San Francisco Chapter of the FAIR Institute had its latest meeting on June 21, 2018, generously hosted by Twilio at their company headquarters. It was a well-attended event and featured two great speakers; Jack Jones, Chairman of the FAIR Institute and Calvin Liu, Director of Operations at Ventura Enterprise Risk Management. Both talks elaborated on specific use cases of FAIR, quantitative risk analysis and techniques, with ample time to network and ask questions. As with all local FAIR chapters, the San Francisco meetings are a fantastic opportunity to hear great speakers, get tips on how to integrate quantitative risk into your risk program and meet new people — from newcomers to FAIR, to those with broad experience.
Information Overload: How much do boards really need to know about cyber risk?, presented by Jack Jones
It was a pleasure to have Jack Jones, a frequent keynote speaker and fixture of the FAIR community, speak at the San Francisco chapter meeting. Jack’s talk focused on what relevant information CISO’s should expect from a FAIR analysis, and in turn, how much of that information a company’s Board of Directors expects to be briefed on. Jack also interspersed many common problems and pitfalls that risk managers make when analyzingrisk or incorporating quantitative techniques into their risk programs. Some common issues are: absence of critical thinking, relying on broken models (CVSS and NIST 800–30 are examples) and focusing on possibility rather than the probability of loss events.
The highlight of the talk was when Jack, based on his experience as a CISO, gave the 5 Questions the Board Should Ask the CISO. The five questions are:
- Do we know what/where all of our crown jewels are?
- What are our top ten cyber risks?
- How much exposure does the top cyber risk represent?
- Who is responsible for measuring cyber risk?
- What is the prevailing root cause behind non-compliant conditions?
If you are a CISO or a risk manager supporting a CISO, anticipate these questions. FAIR helps answers these questions in a defensible and actionable way.
Using FAIR as a Systemic Cyber Risk Owner, presented by Calvin Liu
Calvin is a returning speaker to the San Francisco chapter and crowd favorite. Calvin’s broad and varied experience in the field of risk management gives him a unique perspective and often presents new ways to apply FAIR. This talk was no exception; Calvin presented on how cyber insurance carriers can use FAIR to determine the probability and impact of various events that typically covered by a policy, with the objective of setting policy premiums. Several examples were given, from ransomware, several natural disaster scenarios, and typical cyber-attacks. Cyber insurance companies already use some form of risk quantification, but FAIR is very appealing in that it’s easy to use and is purpose-built for precisely the type of analysis required. Follow this space closely — as the cyber insurance industry continues to mature, FAIR will be an essential component.