“Think of all the advantages the bad guys have,” FAIR Institute Chairman Jack Jones tells an audience this week at the InfoSecWorld 2017 Risk Management Summit in Orlando.
“We have to protect a very complex and dynamic landscape. The bad guys can pick and choose what they want to go after. And we are giving them a gift.
"The fact that we can’t prioritize and focus on the stuff that matters most is a gift we give them every day. The good news is that’s within our control.
“Step One is get your terms and concepts straight. Nothing else is likely to be successful if you don’t.”
Jack explains that “as a profession, we are so bad with foundational terminology and basic principles that our attempts to measure risk are not going to be successful as long as that’s the case.”
In his talk, Jack suggests this quick definitions test….
The common answer is “All of them are risks.”. The right answer is…
Why the lack of clarity? Jack elicits the answer from the audience with another question.
What’s the most common cyber risk model that risk managers use?
The usual answers Jack hears mention NIST CSF or other risk management frameworks.
In fact, the most common method is the subjective mental model inside the head of the risk manager.
“You combine that with the terminology challenges and the odds of getting it right are just slim.
"At the end of the day it boils down to you can only manage what you can measure. And you can only measure what you can clearly define.”
Jack leads the Risk Summit audience through a day-long seminar on how to focus on what really matters in risk measurement and management, including the FAIR model for defining and measuring risk. He’s joined by risk management authorities Evan Wheeler, Director Information Risk Management at MUFG Union Bank, and Ron Woerner, Director of CyberSecurity Studies at Bellevue University.