One of the questions I like to ask CISO’s is, “What is the most cost-effective control in your arsenal?” The responses are varied and interesting, but their answers are pretty consistently based on bias
Jack Jones
Recent Posts
Once again, after a run of high profile breaches,
I’ve begun to hear cries that “leadership didn’t sufficiently support” an organization’s cybersecurity program. I’m sorry, but I just don’t buy it.
If you’ve been in the cybersecurity profession for any length of time, you’ll have heard (or said) the old chestnut about two hikers who run into a bear on the trail. One hiker immediately takes off his hiking boots and puts on his running shoes.
Yesterday, while speaking to a university cybersecurity class, I was accused of being pedantic when I pointed out a problem with the phrase “The risk of that impact…”
FAIR model creator Jack Jones recently answered a FAIR Institute member's question about terminology that's one of those easily confused yet critical distinctions in cyber risk management: What's the difference between a security exception (or policy exception) and risk acceptance?
Star Trek movie fans will likely recognize “Kobayashi Maru” as a reference to the training exercise used by Star Fleet to evaluate how cadets respond to a no-win scenario.
You will hear some in the profession refer to “upside risk” and “downside risk”, or “positive risk” and “negative risk.” This can be confusing for the vast majority of people who think of risk solely in terms of loss from adverse events
One of the significant hurdles we have to overcome as a profession is our addiction to “zero cost” risk measurement. Let me explain…
A few days ago I had the privilege of providing the opening keynote address at an IANS event in Dallas. If you’re not familiar with IANS (Institute for Applied Network Security), I encourage you to look into it as I believe it serves a very useful purpose and is working hard to be forward-looking. Regardless, one of the questions that was discussed at this event was how much of a CISO’s focus should be on business versus technology.
This last post in the series will focus on briefly summarizing and answering the thoughts/concerns posted by Martin Huddleston in his comments following Part 2. I felt this follow-up post was warranted because some readers seemed to misinterpret Martin’s comments as an indictment
