Jack Jones, FAIR Institute Chairman and creator of the FAIR model, gave a wide-ranging keynote speech for the 2018 FAIR Conference on “The Next Frontier in Risk Management”, that was both a candid look at the challenges faced by the risk profession and a call to action to move up to true risk management maturity.
Jack laid out a deceptively simple definition of the objective for risk professionals:
“Enabling the organizations we serve to cost-effectively achieve and maintain an acceptable level of risk.”
Jack then ticked off the standard checklist for risk management maturity, including
- Essential/fundamental security technologies deployed?
- Active education and awareness program?
- Uses a risk register to track “risks”?
And challenged the audience to hit a higher standard, including:
- Cost-effective security technologies are providing their intended value
- An effective education and awareness program exists
- A risk register is used to track and report the most important risks
Jack next revealed some of the results from the FAIR Institute’s 2018 Risk Management Maturity Benchmark Survey, based on a detailed questionnaire filled out anonymously by CISOs and other security managers, data used to score each organization on a scale of maturity (in other words, how well they "make well informed decisions" and "execute reliably" based on, for instance, use of risk terminology or a risk model). The bottom line: the surveyed companies were still at a low level of maturity though up from last year. "Our new frontier is risk management maturity," Jack said.
Why the low levels? Jack dug deeper, into the psychology of the risk profession. He urged the conference to “understand why we operate the way we do as a profession” – particularly a reliance on shortcuts and "easy buttons"-- and “develop and enable better alternatives.”
Jack suggested taking a page from the research into human thought processes by psychologist and Nobel Prize winner Daniel Kahneman, author of Thinking Fast and Slow. Kahneman writes about System 1 thinking, fast and reflexive, vs. System 2 thinking, slower and orderly. He challenged the conference audience to consider which system they’re relying on when they, for instance, rate audit and security findings High/Medium/Low or rely for guidance on common maturity models like NIST CSF. System 1 thinking isn’t necessarily bad, he said, but it does need to be calibrated.
“We’re beginning to make great progress on the risk measurement frontier,” Jack said but “we have to open a second frontier to change views of what ‘mature’ means”, particularly working to show organizations the limitations of System 1 thinking applied to risk.
“The opportunity exists to dramatically improve the state of our profession,” Jack concluded. “Let’s do this!”