Page 3 - Cyber Defense eMagazine September 2018
P. 3
3
@MILIEFSKY
From the
Publisher…
CyberDefense.TV is live and growing with more interviews each month…
Dear Readers
I have just returned from CloudSEC Europe 2018 where I shared the stage with some brilliant panelists. We
discussed the ever-evolving role of the CISO. One of the items we agreed would become very important, is
the standardization of measurements for risk to organizations. There's a new standard on the block, called
FAIR - which stands for Factor Analysis of Information Risk (FAIR) and is emerging as the standard Value at
Risk (VaR) framework for cybersecurity and operational risk. It is hosted and managed by The FAIR Institute
, a non-profit professional organization dedicated to advancing the discipline of measuring and managing
information risk, located at https://www.fairinstitute.org/. Membership is free, just like subscribing to our
eMagazines,so what are you waiting for?
FAIR provides information risk, cybersecurity and business executives with the standards and best practices
to help organizations measure, manage and report on information risk from the business perspective. The
FAIR Institute and its community focus on innovation, education and sharing of best practices to advance FAIR
and the information risk management profession. I've always been a strong proponent of standardization in
Information Security - from the CVE (common vulnerability and exposure) standard for documenting 'holes' in
our computing equipment, software, hardware and networks to CWE (common weakness enumeration) - a
way to better understand how to write great code - writing software with security best practices by avoiding
leaving exploitable flaws in your compiled code. This standard is one to learn about and share in your
organization.
Some of the areas I consider critical include looking for and measuring risk around People, Apps, Networks,
Computing equipment, Code and Data (plus the databases where we find the data). I call this PANCCD – yes
another acronym – this time I invented it and I’ll share more about it in upcoming articles. There will absolutely
be more to come on the topic of making cybersecurity measurable so stay tuned!
Gary S.Miliefsky, CEO
Cyber Defense Media Group
Publisher, Cyber Defense Magazine