FAIR Institute Blog

Jack Jones

Jack Jones

Recent Posts

Jack Jones on the Cybersecurity Executive Order: Bold Changes, but Missed Opportunity for Measuring Risk?

[fa icon="calendar'] May 20, 2021 9:36:51 AM / by Jack Jones posted in Jack Jones, Government

[fa icon="comment"] 2 Comments

I’m thrilled with many of the provisions in the President’s recent Executive Order on Improving the Nation’s Cybersecurity. The tiered software security ratings system, the IoT consumer labeling, the cybersecurity review board, and the emphasis on sharing information on breaches and other cyber incidents, are all bold initiatives

Read More [fa icon="long-arrow-right"]

Jack Jones: State ‘Safe Harbor’ Laws Should Promote Effective Cyber Risk Management, Not Just Compliance with Frameworks

[fa icon="calendar'] Apr 7, 2021 12:43:04 PM / by Jack Jones posted in Jack Jones

[fa icon="comment"] 2 Comments

State legislatures in Nevada, Ohio, Utah and Connecticut have passed or are in the process of passing “safe harbor” protection against negligence lawsuits for companies hit with a data breach – if the companies implement controls from a recognized cybersecurity framework.

Read More [fa icon="long-arrow-right"]

Jack Jones on How the COVID-19 Pandemic Is Likely to Affect Cybersecurity Programs

[fa icon="calendar'] Mar 19, 2020 8:30:00 AM / by Jack Jones

[fa icon="comment"] 2 Comments

One of the questions I like to ask CISO’s is, “What is the most cost-effective control in your arsenal?”  The responses are varied and interesting, but their answers are pretty consistently based on bias

Read More [fa icon="long-arrow-right"]

Jack Jones: Quit Blaming Executives for Cybersecurity Problems

[fa icon="calendar'] Aug 19, 2019 8:45:00 AM / by Jack Jones posted in Risk Management, Jack Jones

[fa icon="comment"] 5 Comments

Once again, after a run of high profile breaches,  I’ve begun to hear cries that “leadership didn’t sufficiently support” an organization’s cybersecurity program.  I’m sorry, but I just don’t buy it.
Read More [fa icon="long-arrow-right"]

There's More than One Bear...

[fa icon="calendar'] May 23, 2019 10:35:02 AM / by Jack Jones posted in Risk Management

[fa icon="comment"] 0 Comments

If you’ve been in the cybersecurity profession for any length of time, you’ll have heard (or said) the old chestnut about two hikers who run into a bear on the trail.  One hiker immediately takes off his hiking boots and puts on his running shoes. 

Read More [fa icon="long-arrow-right"]

Jack Jones: How Much Risk Does that Risk Represent?

[fa icon="calendar'] Feb 21, 2019 8:00:00 AM / by Jack Jones posted in FAIR, Risk Management, Jack Jones

[fa icon="comment"] 2 Comments

Yesterday, while speaking to a university cybersecurity class, I was accused of being pedantic when I pointed out a problem with the phrase “The risk of that impact…”

Read More [fa icon="long-arrow-right"]

Security Exception vs. Risk Acceptance: What's the Difference?

[fa icon="calendar'] Feb 6, 2019 2:00:00 PM / by Jack Jones posted in FAIR, Risk Management

[fa icon="comment"] 10 Comments

FAIR model creator Jack Jones recently answered a FAIR Institute member's question about terminology that's one of those easily confused yet critical distinctions in cyber risk management: What's the difference between a security exception (or policy exception) and risk acceptance?

Read More [fa icon="long-arrow-right"]

A 'Kobayashi Maru' Exercise for ISO31000 Risk Analysis

[fa icon="calendar'] Nov 6, 2018 12:00:00 PM / by Jack Jones posted in FAIR

[fa icon="comment"] 0 Comments

Star Trek movie fans will likely recognize “Kobayashi Maru” as a reference to the training exercise used by Star Fleet to evaluate how cadets respond to a no-win scenario

Read More [fa icon="long-arrow-right"]

Clarifying "Upside" and "Positive" Risk

[fa icon="calendar'] Oct 30, 2018 9:00:00 AM / by Jack Jones

[fa icon="comment"] 0 Comments

You will hear some in the profession refer to “upside risk” and “downside risk”, or “positive risk” and “negative risk.”  This can be confusing for the vast majority of people who think of risk solely in terms of loss from adverse events

Read More [fa icon="long-arrow-right"]

Our Addiction to "Zero Cost" Risk Measurement

[fa icon="calendar'] Jun 20, 2018 9:00:00 AM / by Jack Jones posted in Risk Management

[fa icon="comment"] 0 Comments

One of the significant hurdles we have to overcome as a profession is our addiction to “zero cost” risk measurement.  Let me explain…

Read More [fa icon="long-arrow-right"]
LEARN MORE

Subscribe to Email Updates

417NjDVYgtL._SX404_BO1204203200_.jpg
Learn How FAIR Can Help You
Make Better Business Decisions

Recent Posts