Jack Jones, Chairman of the FAIR Institute and creator of Factor Analysis of Information Risk (FAIR™), the international standard for cyber risk quantification, sees 2020 as the year that taught many CISOs some hard lessons about being able to communicate return on investment for security spending.
In this conversation, we also covered other insights into 2020 – was the effect on security from the big move to work from home not as significant as we thought? – and the big innovation Jack plans in 2021, a new analytics model for security controls that “could fundamentally change some aspects of the risk management industry.”
Looking back over 2020, what significant change did you see in the practice of cybersecurity and cyber risk management?
As organizations faced a very difficult economic climate, executives realized the need to understand in real terms the value proposition for the money and resources that go into cybersecurity. As they looked where to cut costs – and a lot of money is going to cybersecurity—they realized that they know how to cut operations, marketing, and sales, but had no idea how to safely rationalize cybersecurity cuts because they only get red/yellow/green, qualitative reporting on cyber risk.
That dimension of stewardship over resources with regard to cybersecurity is finally front and center. Actually, that was the catalyst behind FAIR to begin with, so it should have been a topic of conversation over the last two decades but it hasn’t been.
What has this change meant for CISOs?
For CISOs at many companies, budgets have grown every year; they really haven’t been challenged with resource optimization. This is a wake-up for a lot of CISO – the CFO comes knocking: “Your budget is cut or flat for next year.”
At that point, they are faced with the question of ‘Which things matter most and how much more risk do we take on if we have to stop performing, or reduce, some security measures?’
How did you see the risk landscape change in 2020?
With the shift to more remote workers, we have a more diffuse landscape, which potentially means that it’s harder to have the same level of assurance on some of those endpoints. The technologies available to us should enable us to appropriately manage this, but not every organization has those technologies in place, or has applied them well.
That said, I suspect that when you lift the covers you’ll see this is still primarily a “cyber hygiene” problem. Unfortunately, many organizations have cyber hygiene problems when things aren’t remote too, so it’s not clear yet how much the remote workforce situation is really going to affect losses.
Late in the year, we got the news on the SolarWinds hack, with widespread effects. What’s your thought on that situation?
I don’t have enough information about the SolarWinds hack to comment with much confidence. That said, I assume that at the end of the day we’ll see that the company had taken security seriously, follows the usual checklists, and employs good security professionals. We’ll probably also find evidence of SolarWinds being unable to filter out the noise that makes security so difficult to prioritize or communicate to stakeholders. Most of this noise is, in my experience, a function of poor risk measurement practices and immature industry practices.
You talked about the increasing need to justify cybersecurity spending on a cost/benefit basis. What other signs did you see in 2020 about the advance of risk quantification?
The continued rapid growth of the FAIR Institute and membership there, and interest by major industry organizations in FAIR, is a clear sign that quantification is going to be a part of future expectations as a profession. Those who are embracing that fact are choosing to be on the bus rather than under the bus.
In the coming year, there are rumors about new regulations and direction from the government on due diligence from a risk management perspective, and the expectation is that will include quantitative risk measurement. I’m not a default fan of regulation; things can be over-regulated. In absence of that pressure though, industry tends to evolve really slowly. If done well, regulation could be an important harbinger of growth and evolution for our industry.
But change within a profession is hard and I think the natural tendency is to regress to the mean when the pressure is off, or when a new situation becomes the new normal. I already see some of that.
What are you looking forward to personally in 2021?
The big thing for me will be publishing new research on controls-to-risk mapping through the FAIR Institute. I believe it could have significant positive implications for the industry like, for example, enabling empirical measurement of control efficacy and ROI.
The controls frameworks we have today are not analytic models; they are lists of control good practices. And although these frameworks are very useful as checklists, they inherently aren’t able to support defensible measurement of control efficacy. For example, none of them capture dependencies between controls, many of the control descriptions are too ambiguous for reliable measurement, and they all rely on ordinal measurements, which can’t reliably be translated into risk reduction.
The goal of this research is to allow us to make these measurements in terms of risk reduction, based on actual units of measurement, accounting for dependencies between controls, and in a way that can be empirically validated. It will be completely different from anything else out there.
Recognition for FAIR in 2020