Never Miss An Episode | Subscribe Now
Home
Shows
ShopAboutWork With Us
Creative Mastermind
CyberCreatorCon2023
Never Miss An Episode | Subscribe Now

June 2, 2021

FAIR from the Trenches w/ Drew Brown

by Cyber Ranch

Listen Now

FAIR from the Trenches w/ Drew Brown

June 2, 2021 Cyber Ranch

00:00:00

Show Notes

With us today is Drew Brown, IT Security Manager at the Commonwealth of Pennsylvania. Drew is here to talk about FAIR and his real-world usage of it and testing it in the trenches. Drew shares a little bit about his background in cyber, and a little bit about his day job. He spent 15 years in IT. That opened the door then for him to be the CISO for one of the state agencies. Now his title is IT Security Manager but essentially he is responsible for communicating security and risks and working within a law enforcment agency to make sure that what is implemented is secure, it's compliant, and it meets all of the agency objectives. With FAIR, you start by asking some very basic questions: What is the asset? What is the thing of value that you're trying to protect? Once you understand what that is, you then ask who is going to come after that asset: cyber criminals, nation state, some kind of industrial espionage, hacktivist, or whatever. Or maybe it's Doris in accounting. Either way, you start to work through who might come after that information. The probability of a guy sitting in his basement, ordering pizzas on your credit card is a different probability than a nation state. On the impact side, we look at six different categories of risk, there's loss to productivity, there's losses in terms of response, how much money are we going to spend? Or do we have to spend to resolve that loss event that incident? The six forms of loss are productivity, response, replacement, fines and judgments, competitive advantage and reputation. We start looking at what those dollar amounts actually are. But we want to concern ourselves with the most likely and what's the loss magnitude at that most likely value? Now we can go to that executive and say, “Okay, do you want to build a new parking lot? Or do you want to resolve this risk?” Then we can have a business conversation about it. Allan asks, “What drove you to FAIR?” Drew states that one of the biggest arguments against FAIR that he always hears is, “We don't have enough data points to do this." Drew decided FAIR can help make better decisions about risk. And that is the goal of FAIR anyway - to make better business decisions, better risk decisions. Digging a little deeper, Allan asks, “Are you confident that it achieved the goals you set out to achieve with it?” In short, the answer is absolutely! Where FAIR falls shorts comes up. After reflecting, Drew says that it is in the controls analysis piece. Allan asks Drew what keeps him going in cyber. With a laugh, Drew gives a quick answer of "coffee" and then follows with, “I enjoy that a relationship with my counterparts and then also establishing those relationships with the business and seeing the problems solved.” What’s coming over the horizon? According to Drew, it’s seeing the normalizing of cybersecurity and making it less of a burden to hire new and diverse talent. Key Takeaways 1:15 Drew shares his background and day job 2:20 FAIR model 2:56 How FAIR works 5:13 Probability 8:45 What drove you to FAIR 11:42 Goal of FAIR 13:30 Selling to the board 18:16 The honest hat 22:17 RSA announcement 23:32 What keeps Drew going 24:49 What Drew looks forward to Links: Learn more about Drew Brown on LinkedIn Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at AttackIQ
Read more

Recent Episodes

View All

September 20, 2023

The Cybersecurity Efficacy Gap w/ AJ Grotto

by Cyber Ranch

Allan is joined by AJ Grotto: William J. Perry International Security Fellow and Founding Director of the Program on Geopolitics, Technology and Governance at Stanford University.  He also serves as the faculty lead for the cyber policy specializatio...

Listen Now
September 13, 2023

Cybersecurity Awareness Month CALL TO ACTION - The Podcast Trifecta!

by Cyber Ranch

Warning: Some naughty language in this show, but well placed naughty language! Challenge issued!!!! Allan has teamed up with TWO other podcasts to take on the insufferable marketing that floods the cybersecurity industry in the month of October! Who ...

Listen Now
September 7, 2023

Protecting Small Organizations w/ Georges Merchak

by Cyber Ranch

Nearly 43% of cyber-attacks are on small businesses. 82% of ransomware attacks were targeted at companies with less than 1000 employees. 61% of SMBs were the target of a Cyberattack in 2021. 37% of companies hit by ransomware had fewer than 100 emplo...

Listen Now
August 30, 2023

Nowhere to Hide w/ Chris Roberts

by Cyber Ranch

You know you're being watched, right? Imagine for some reason you needed to bury a treasure where nobody would ever find it.  In today's society, how could you even do that?  How can you get from Point A to Point B without being observed or tracked i...

Listen Now
August 23, 2023

Cybersecurity in Popular Culture w/ George Finney LIVE!

by Cyber Ranch

In this LIVE! show at Black Hat, Allan and his friend George Finney (recurring guest, CISO @ SMU, multi-times author and CEO of Well Aware Security) discuss cybersecurity in popular culture.  They talk about the impact on real-world cybersecurity pra...

Listen Now
August 16, 2023

Allan Interviews EVERYONE at Black Hat

by Cyber Ranch

Did you miss Black Hat this year?  Well you won't miss the great conversations that were had, as Allan captured so many good ones for this special Black Hat retrospective episode.   Did you get to attend Black Hat this year?  See if your experience w...

Listen Now
August 9, 2023

Allan is at Black Hat

by Cyber Ranch

A brief thank you to our listeners and a request for feedback on the show. We'll catch y'all next week!

Listen Now
August 2, 2023

The Open Source Security Foundation with Omkhar Arasaratnam

by Cyber Ranch

The OpenSSF is doing invaulable work for the cybersecurity community.  And their new managing director happens to be Omkhar Arasaratnam, whose appearance on the show a while back created one of our most popular episodes ever!  Omkhar is back to talk ...

Listen Now
July 26, 2023

Cloud Security Remediation w/ Tunde Oni-Daniel

by Cyber Ranch

Cloud security remediation can be a daunting task that impacts Dev, Sec and Ops teams all.  And it can be a huge, manual, pain in the...  You get the idea.  But there are techniques to navigate it and to overcome many of the common traps and hurdles....

Listen Now
July 19, 2023

Things We Believe But Cannot Prove w/ Drew Simonis

by Cyber Ranch

In this episode, Allan and Drew tackle and interesting subject that was suggested by Drew and that Allan posted for the LinkedIn community to gather around: things we believe in cybersecurity that we cannot prove. The LinkedIn conversation was phenom...

Listen Now