While we’re still learning the details of that massive data breach at Facebook – account keys for 50 million users stolen, and potentially wider impact as the same keys were used to log in to third party accounts – FAIR Institute Chairman Jack Jones says this incident, like others before it, exposes some of the shaky underpinnings of cybersecurity risk management. At least if we take the time to look at it carefully and realistically.
Ireland’s Data Protection Commission is investigating the Facebook breach for violation of the EU General Data Protection Regulation (GDPR), which went into effect in May. The EU could levy staggering fines on Facebook under the GDPR, well over $1 billion, for failing to give customer data “reasonable” protection. The regulation doesn’t define “reasonable” precisely – and that points to the crux of a problem, Jack says.
“Reasonableness is usually defined something along the lines of what the typical rational person would do, and in the cybersecurity field that’s often thought of as following the various standards and best practices,” Jack says. “But look at virtually any organization (at least of any size or complexity) and very few of them are living up to those standards.
“For example, I asked my audiences at a couple of conferences recently if any of them worked for an organization that does NOT have the same challenges that Equifax had regarding patching, and not a single hand went up. I could have asked about access privilege management, shadow IT, asset management, or legacy technologies and the response would have been largely the same. The dirty little secret is that all organizations struggle with the same problems. So either our expectations are wrong or we're ineffective as a profession. Or both to some degree.
"The question we should be asking is why most organizations struggle so much with practicing 'good' security? I don't think its from lack of effort. Nor do I believe its from a lack of executive support or an absence of stiff enough penalties. When I think back on my time as a CISO, and when I look at the organizations I encounter today, the biggest problem is noise.
"Today's technology environments are more complicated and dynamic than ever – and resources are finite – so being able to cut through the noise to reliably identify and focus on the risks that matter most is crucial. And once these top risks have been identified, we have to be able to apply the most cost-effective solutions, which are often not 'best practices'.
"Both of these steps require effective risk measurement, yet that's something our profession treats as an afterthought. Anybody and their cousin gets to apply their uncalibrated mental models, ignore meaningful data collection or analysis, and proclaim high/medium/low risk. Or, sometimes worse, we accept on faith the severity scores being spit out by various security technologies and poorly defined industry models. Scores that often don't correlate very strongly to risk and that don't mean anything to decision-makers."
Until that deficiency is corrected, says Jack, “my perspective is that draconian fines shouldn't be levied unless there is clear evidence that the organization was completely asleep at the wheel risk management-wise – not that an organization was non-compliant. Otherwise, it's a lottery because everybody is in the same boat and it really boils down to who is unlucky enough to get breached, while the rest of us wipe our brows and say, ‘Thank god it’s not me.’
Fortunately, risk models like FAIR, and the processes and technologies that surround it, have emerged in recent years that are helping organizations cut through the noise and identify their top risks and most cost-effective solutions.
Jack Jones is the creator of Factor Analysis of Information Risk (FAIR), the international standard for quantifying risk in financial terms. About 30% of the Fortune 100 use FAIR to prioritize and measure ROI on their cybersecurity investments.