FAIR Institute Sydney Chapter Hybrid Meeting (Feb 2023)

Date: Friday 10th Feb 2023

Time: 12noon – 1pm

In-person: IBM Australia, Lvl 17, 259 George Street, Sydney 2000

WebEx: Link will be emailed to registrered participants

The Open Group FAIR Cyber Risk Quantification (CRQ) framework is a standardised way to express cyber risk in dollar values which empowers business stakeholders to understand the business impact of cyber risk better and prioritise the risk management strategy as part of the Enterprise Risk Management (ERM) decision process. Some CRQ sceptics are worried that cyber-attacks are morphing too rapidly, resulting in the lack of historical data to support the CRQ modelling process. Doug Hubbard [1] came to the rescue through his “How to Measure Anything in Cybersecurity Risk” [2] methodology, which is referenced in the FAIR Risk Analysis (OR-A) Standard [3]. But what if we are drowning in an ocean of Risk Data thanks to the “logging everything can do no wrong mantra” in the era of religious disclosure of cyber risk regulatory environment?

David Vohradsky has been at the forefront of the research into this data analytic challenge, kicked off with his 2015 ISACA paper “A Practical Approach to Continuous Control Monitoring”[4] . His pursuit of excellence in this methodology led him to FAIR, which culminated in his 2022 ISACA article “The Cyberrisk Quantification Journey”[5] which might also have contributed to his thinning hairline ?

David will kick off this meeting by revisiting his FAIR journey and a recent milestone leveraging machine learning and workflow to close cyber governance and risk knowledge gaps, quantify the risk, determine the most effective next steps to take, and help deliver them. He will then join an expert panel of cyber risk and privacy risk practitioners to examine ways to use metrics to scale industry data for FAIR factors.

The Chapter wants to thank IBM Australia for hosting the event and for Jack Freund for dialling in from Charlotte, North Carolina. Jack is no stranger to the FAIR community, who coauthored the FAIR Book[6] with Jack Jones.

Panellists (in alphabetical order):

David Vohradsky (https://www.linkedin.com/in/vohradsky/)

David Vohradsky is the Cyber Security Practice Manager at Avocado Consulting and Founder of MyRISK. He is an internationally recognized IT leader and author, with 30 years of experience across multiple industries, spanning specialist IT roles, program management, middle and executive management, consulting, as well as IT governance, risk, security, and audit. His experience includes senior management roles within international consulting organisations, government, and some of Australia’s leading Banks.

Jack Freund (https://www.linkedin.com/in/jackfreund/)

As Head of Cyber Risk Methodology for VisibleRisk (Moody’s/Team8 JV), Jack Freund has overall responsibility for the systemic development and application of frameworks, algorithms, and quantitative and qualitative methods to measure cyber risk. Previously, Freund was Director, Risk Science at quantitative risk management startup RiskLens. Freund has 22 years of experience in technology and risk management for TIAA, Nationwide, and Lucent Technologies. Freund was awarded a Ph.D. in information systems after his research in disaster informatics and cyber resilience at Nova Southeastern University. Freund has been named a Fellow of the IAPP and the FAIR Institute and Distinguished Fellow of the ISSA. He has been awarded the (ISC)2 Global Achievement Award, ISACA’s CBK Award, and the FAIR Champion Award.

Ruby Li (https://www.linkedin.com/in/ruby-li-53ab791/)

Panel Moderator

Experienced Managing Consultant with a demonstrated history of working in the information technology and services industry. Strong consulting professional skilled in Business Process, Software Development Life Cycle (SDLC) DevSecOp. Threat Modelling, Professional Management, Enterprise Architecture, and ITIL.

[1] https://www.linkedin.com/in/dwhubbard/

[2] https://hubbardresearch.com/shop/measure-anything-cybersecurity-risk-signed-doug-hubbard/

[3] https://pubs.opengroup.org/security/o-ra/

[4] https://www.isaca.org/resources/isaca-journal/issues/2015/volume-2/a-practical-approach-to-continuous-control-monitoring

[5] https://www.isaca.org/resources/isaca-journal/issues/2022/volume-2/the-cyberrisk-quantification-journey

[6] https://www.fairinstitute.org/fair-book

Host or Publisher FAIR Institute Sydney Chapter