Jack Jones’ 2019 Insights on Building a Cyber Risk Management Program – and Outrunning the Bear
“Thought leadership” is a term that gets used loosely but Jack Jones, creator of Factor Analysis of Information Risk (the FAIR™ model) and Chairman of the FAIR Institute has been out in front of the profession for years patiently pointing out the limitations of conventional, qualitative risk analysis and crusading for a more disciplined approach to cyber and operational risk management, based on critical thinking and quantification.
In 2019, Jack led again with true thought leadership – here’s a sampling:
In his keynote address kicking off the annual FAIR Conference, Jack greatly expanded the horizons of FAIR practitioners to show how the risk analysis model could be a change-maker throughout the organization – starting on a basic level with the clarity that FAIR terminology brings to discussions of risk, and moving up to strategic decision support.
Cyber risk quantification is generating plenty of buzz (from Gartner and other industry analysts) but in this guide Jack cuts through the marketing and lays out objective, detailed advices on acquiring a cyber risk quantification (CRQ) solution, including how to set goals, questions to ask any vendor – and red flags to watch for in their responses.
After a run of high-profile breaches, the infosec profession has been way too quick to blame non-technical management for failure to understand cybersecurity issues and fund cybersecurity projects, Jack wrote in this blog post. As long as the profession continues to communicate through red-yellow-green heat maps, vulnerability counts, and other strictly technical terminology, “it doesn’t seem to me that leadership can be held accountable…The onus is on our profession to take an honest look at how we understand, measure, and communicate the challenges within our problem space.”
Jack took questions at NACD’s Global Board Leaders Summit from directors who wanted to know about what kind of reporting they should get on cyber. First, they should know the organization’s top risks, Jack counseled. “But here’s the point I want to drive home — and if this makes you uncomfortable, good – and that is, no organization I’ve walked into in recent years has done that” because they’re distracted by things like “phishing” or “internet of things” that aren’t true risks with a measurable frequency and magnitude. Second, directors need to press to uncover the root causes of cybersecurity failures, usually systemic problems. “When a problem occurs ask ‘why’ at least five times to get to root cause.”
An old joke in infosec circles: Two hikers run into a bear. The first hiker takes off his boots and puts on running shoes. The second hiker points out that no one can outrun a bear. “I don’t need to outrun the bear,” the second hiker says. “I just need to outrun you.” The lesson is that a cybersecurity program doesn’t need to be good – just better than the one next door. “The lesson is dead wrong,” Jack writes: Organizations that benchmark themselves against others learn “very little about the actual efficacy of a cybersecurity program.”
More from Jack Jones in 2019:
The world is catching up to Jack: in 2019, the keepers of both the NIST CSF and COSO ERM frameworks added FAIR to their best practices and SC Media named the FAIR Institute one of the most important industry organizations of the last 30 years.