A FAIR based security culture

By Denny Wan and peer-reviewed by Chris Patteson and Luke Bader

From the recent webinar delivered by Chris Patteson, Executive Director, Risk Transformation Office, RSA titled “Let’s Be FAIR”: Understanding the Paths to Introducing FAIR into Organizations”, there were many lessons learned and best practices shared. A full reply of the webinar is available to FAIR Institute members from the Resource Library. An audio only extract and static slides are available for download here for listening while driving or running:

Introducing-FAIR-into-Organizations.mp3

Introducing-FAIR-into-Organizations.pdf

Columbus – Visionary or just plain lucky?

Chris recounted the historical decision by Queen Isabella to support Columbus’ to explore the new world. According to the National Graphic, this was a smart business move by Isabella in order to secure her power in Spain, as she was only third in line to the throne. Her decision to back Christopher Columbus unexpectedly paid off when he made landfall in the Caribbean. This expedition laid the foundations for the Spanish Empire in the New World, making Spain a dominant player on the world stage.

No alt text provided for this image

Source: Smithsonian American Art Museum – John Duillo, Christopher Columbus and Queen Isabella, ca. 1993

Chris explained that increasingly cyber risk executives are being questioned on their prioritization decisions in the face of major data breaches notwithstanding significant investments in cyber security controls. While compliance with cyber security frameworks such as ISO 27000, PCI DSS and NIST CSF are the strong foundations for a cyber security program, a risk-based approach is necessary to further target these investments to improve efficiencies and cost effectiveness. Like Columbus, some cyber risk executives are also lucky to be blessed with the support of senior executives and board members who are eager to explore the new world of cyber risk management.

Cyber risk – an opportunity or a liability?

recent post from Chip Block discussed the unusual move by Slack in their IPO filing in stating that they are in a business that has a high likelihood of cyber attacks, that they have been attacked before, and that there are significant limits to what they can do about it. He also made the astute observation of “… How should investors quantify the risk that Slack has stated in their IPO? …”.

During the webinar Chris shared that in some cases legal counsels have expressed concerns in explicitly quantifying cyber risk beyond rough dimensioning of cyber risk exposure through heat maps for precisely the opposite reason – it can create liability for the company. This concern echoes similar analysis explored in Chips’ article:

If a major breach occurs at Slack, does this paragraph impact shareholder actions in terms of bringing legal action? Slack is stating up front that there is a major risk of a cyber attack, so if that occurs, they have strong grounds that the risk was known to investors.

This might indeed be a pre-emptive strike by Slack to fend off or at least contain such future actions by investors. This is potentially an interesting inflexion point where cyber risk quantification might be used to gain a competitive financial advantage.

And, the recent CNBC report on Moody’s plan to include cyber risk into credit risk calculation might be a sign of things to come. A recent Moody report has also foreshadowed this trend. Cyber risk practitioners may find themselves in a position required to assist the business stakeholders by providing quantification of their own and others cyber risks, making cyber risk quantification as a potential value generator rather than a compliance cost. The $350 million dollar discount secured by Verizon Communications in the purchase of Yahoo is a painful reminder that cyber risk quantification is not just modelling exercise but can cost real money even when no money was stolen.

Insurance is not a Panacea

Another observation by Chip is the explicit declaration in the Slack IPO that their cyber insurance cover might not be sufficient either. The paragraph reads: 

“We maintain errors, omissions, and cyber liability insurance policies covering certain security and privacy damages. However, we cannot be certain that our coverage will be available or adequate for all liabilities that might actually be incurred or that insurance will continue to be available to us on economically reasonable terms, or at all. Further, if a high-profile security breach occurs with respect to another software company with communication, collaboration, data collection, and integrations, our users and potential users could lose trust in the security of such solutions providers generally, which could adversely impact our ability to attract organizations to Slack or grow or maintain our Net Dollar Retention Rate.”

My recent post discussed some of the current debates in the insufficiency and ineffectiveness of cyber insurance covers, in light of the recent and current court cases of disputes in high-value cyber insurance claims. No one should speculate nor pre-empt the court’s decision on these cases, but it certainly adds further uncertainty to the role of cyber insurance as a risk transfer mechanism.

Start your Voyage

Moreover, Chris made it clear that time for a siloed approach to cyber risk management is fast running out. We must commence the voyage in exploring a new land in cyber risk management. He cautioned against the risk of mutiny by rushing into such a transformation program without first building a FAIR based risk culture. He explained the common obsession with Precision in cyber risk quantification without understanding the importance and practicality of aiming for Accuracy instead. The image of the world map at the beginning of this post was published by Sebastian Munster in 1540, about 100 years after Columbus’ voyage, as the first to show America as a continent. While the map is not precise given our current geographical knowledge of the world, it is accurate even in today’s standard by identifying the major outlines of the North American Continent.

Chris concluded his presentation with the following tips to commence a successful FAIR journey:

  • Lock in on the definition of risk, gain executive support
  • Adjust and start normalizing your risk register
  • Drive awareness
  • Start with basic estimations of probability and loss
  • Start developing a bench of expertise
  • Be prepared to wade into FAIR appropriately
  • Watch for the tipping points

Start with free tools and high-quality training

In the Q&A session, Chris demonstrated the value of enterprise-grade cyber quantification tool such as RSA Archer Cyber Risk Quantification. He drew attention to the availability of free FAIR based tool from the Open Group and the FAIR-U tool from the FAIR Institute. In addition, the TidyRisk R package for quantitative risk management developed by David Severski is a useful and intuitive tool for entry-level FAIR analysis. David’s presentation in SIRAcon 2019 is a very good introduction to TidyRisk.

Both Chris and Luke agreed that nothing substitutes for high-quality training and the FAIR Institute hosts a large repository of FAIR training material including Chris’ webinar. Membership has been growing more than 25% year-on-year with over 5,100 members already. Fortunately, membership is still free for qualified candidates. Jack’s FAIR Book is no doubt the most authoritative guide on learning FAIR. His free ebooks “Set Up Your FAIR Program in 7 Steps” and post “Jack Jones’ Top 10 Blog Posts” are must-read for any would be FAIR practitioners.

There is a self-study guide available from the Open Group to prepare for FAIR Certification exams. RiskLens, an authorised FAIR training provider, offers both online and classroom-based FAIR training courses. Classroom-based training will be offered, for the first time, outside the US next month across Sydney, Melbourne and Brisbane in Australia, saving time and money to travel to the US:

FAIR Analysis Fundamentals Training Course 1 in Sydney – May 13-14

FAIR Analysis Fundamentals Training Course 2 in Sydney – May 16-17

FAIR Analysis Fundamentals Training Course in Melbourne – May 20-21

FAIR Analysis Fundamentals Training Course in Brisbane – May 23-24

FAIR Conference is another important learning opportunity from other FAIR practitioners. FAIRCON19 is scheduled for September 24 & 25, 2019 at National Harbor, Maryland, US. Early bird discount is still available until 30th June. Don’t miss out. I look forward to seeing you there.

Find the original article here: https://www.linkedin.com/pulse/fair-based-security-culture-denny-wan/