FBI’s Donald Freese Praises FAIR Approach at (ISC)² Security Congress

Donald Freese, Deputy Assistant Director of the FBI in the information technology branch, gave the opening keynote talk last week to the (ISC)² Security Congress in Austin, and hit some themes inspired by FAIR.

As Freese noted after the event in a LinkedIn post: 

“Special thanks and full credit to Jack Jones, fair institute.org and Doug Hubbard, hubbardresearch.com for their foundational work on measuring and reducing #cyberrisk as referenced during #ISC2Congress opening event.”

Some of Freese’s comments, as reported by Info Security Magazine and TechTarget SearchSecurity:

• "We want to talk about increasing the rigor in how we manage risk."

• "Regretably, …often times we conflate the two [risks and threats]," which lead to every conceivable risk being viewed as an impending threat. "That's simply not a good way to communicate what we're trying to do. It's not giving us traction in the world about how we prioritize our resources against those particular threats…We're crying wolf." 

• “We focus on possibility rather than probability...but we need to be able to measure the probability of the threat. Risk management is all about prioritization.”

• "If we can start the conversation with not only probability but describe the frequency and the magnitude of the impacts based on the intent and capability, then we start to set up a much more understandable paradigm…And let me pause and say it's difficult to do, and that's why we're not doing it yet."

• “Those that are doing well in security are doing so because they are reducing risk in a measurable way.

Freese is a 21-year veteran of the FBI and the former director of the agency’s National Cyber Investigative Joint Task Force. 

Congress organizer (ISC)² is a 120,000-member nonprofit that promotes cybersecurity awareness. It’s best known for administering the Certified Information Systems Security Professional (CISSP) certification program.

The FAIR (Factor Analysis of Information Risk) model, created by Jack Jones, is the only international standard quantitative model for information security and operational risk.