October 2019 NC FAIR Chapter Meeting Recap – Breaking Down FAIRCon19
Earlier this month, Bank of America’s FAIR team hosted an NC FAIR Chapter meeting in Charlotte, NC. This meeting was a recap of the highlights from this year's FAIR Conference (FAIRCon19). It was well attended with 18 people total. Half of the group attended FAIRCon, while for some, FAIRCon was their first introduction to FAIR and the NC chapter meeting of practitioners was their first follow up.
The recap of FAIRCon19 was broken into three categories: Interesting takeaways, things we had questions on, and suggestions for next year. At the top of the interesting takeaways was the presentation from Greg Rothauser, the Enterprise Business Information Security Officer (BISO) at MassMutual called “Closing the Risk Management Loop with Cyber Risk Quantification,” and more specifically, the conversation about risk appetite. Often, a risk appetite comes from the business in broad statements such as, “We don’t want to wind up on the news.”
At the chapter meeting, we discussed risk appetite in more detail. If we score the risks that we are concerned about, then we have a risk appetite. If we have not made an explicit risk appetite decision, look at what risks we are leaning into, and what we are avoiding. This can give a sense of the risk appetite. At Bank of America, policy can stand as a proxy for risk appetite. Policies tell us to take actions that are sufficient to manage risk within acceptable boundary lines. Assuming this is correct, we can use FAIR to see how far we are from our risk appetite. From the other direction, we can use proxies to figure out what the organization’s appetite is based on the way they are behaving and reflect that into new policies. Operational concerns could be used as a proxy for what should be quantified.
Another presentation that was extremely interesting was Congressman Jim Langevin’s presentation that discussed cybersecurity from the view of U.S. Congress. As the Co-Chair of the Congressional Cybersecurity Caucus, he gave us great insights about the history of cybersecurity in the government and what they are working on today.
One of the topics that we had more questions on was bridging the gap between positive risk and potential for harm. Taking advantage of the potential for harm has the potential for some positive outcome. This led us to the definition of “risk,” and “harm” is always part of that definition. Risk can be good and bad, but there is always the potential for harm. The bridge is that risk is always present, an is inherently bad, but we can take advantage of it and FAIR helps with that. A clearer definition of the bridge might be helpful in the future.
An overall thought of the meeting from those who attended past FAIRCon events and this one was that it made great improvements. The caliber of the speaker and event as a whole was elevated and we enjoyed the Beginner and Advanced tracks. We came up with some suggestions for future FAIRCon events.
One suggestion is that it would be beneficial to learn from other advanced practitioners through discussion and conversations. It could be something like an open mic, where someone can come up and explain their problem and connect with other practitioners who may be able to help. During our chapter meeting, we took advantage of LinkedIn’s Find Nearby feature, where it automatically finds others in proximity and allows immediate connections. Another idea might be for speakers to have targeted conversations about their presentations in small groups, similar to “office hours.”
Jack Whitsitt, SVP and FAIR Team Lead at Bank of America, who presented on Operationalizing Risk Quantification in Business Processes suggested a maximum time limit for presentations, perhaps 30 minutes for the talk and 30 minutes for discussion. Shorter presentations will leave ample time for follow up discussions. These are the discussions that will help people go into more detail and learn more about how to apply FAIR to their own use cases.
The general consensus of the chapter meeting was that FAIR as a whole is growing exponentially. This was evident at FAIRCon. We could see the growth even in the chapter meeting, where about half in attendance were new FAIR users and half were experienced. We are even growing throughout the world. Exor Torres, an Enablement Specialist from the FAIR Institute, said about 70% of new members are from countries outside the United States, which is so exciting to hear.
Overall, this was a great meeting and we had some amazing discussions! Thank you all for being a part of FAIR and breaking ground together. Please join us for the next chapter meeting to be held in Raleigh, NC on Cisco’s RTP Campus on February 13, 2020! RSVPs preferred.