FAIR Institute Chairman Jack Jones recently appeared on the Privacy Please podcast hosted by Cameron Ivey and Gabe Crumbs of Spirion, the data protection company, for a wide-ranging discussion that turned to Jack’s advice on how to successfully start a new job as a CISO, with a boost from Factor Analysis of Information Risk (FAIR™).
Jack focused in on two bits of advice:
1. Identify your crown jewels - name an “asset czar”
“We hear a lot of people say, we don’t even know where all our data is, so we can’t do something like FAIR,” Jack said. “That’s ridiculous on the face of it…at least [use FAIR to] make decent decisions about what you do know. If you’re waiting for perfect data or ‘enough data’, then we will all die of old age before that happens.
“If I were to step into a CISO role today, somebody [on the staff] would be given the responsibility of asset czar.
“They would be responsible for knowing what we know, and going after what we don’t know to flesh out our understanding of where are crown jewels are. It’s not sexy but it is so important. I think that’s one of the many things that we as a profession need to take a lot more seriously.”
2. Identify your new organization’s top risks through FAIR triage
After stepping into a new CISO role, “The other thing I would want to do is a series of FAIR triage analyses to gain a high-level understanding of…what part of my risk landscape is hottest and coolest,” Jack said.
“It can be done really inexpensively, very quickly, and it can enable you to identify what the organization’s top risks are.
“In the last 3 years, I’ve been in a number of organizations who had gone through the exercise of identifying their top risks. But they haven’t done it using something like FAIR.
“More often, the security team gets into a room and argues for a week and throws stuff on the wall and then the loudest voices or highest ranks win, and they come up with a list of 10 things they are most concerned about.
“When these organizations have asked us to come in and look at their list of top 10 risks, not once was their list even close to what their actual top risks are. Because it’s not based on any sort of analysis. If that’s the prevailing situation in organizations, it’s no wonder the bad guys keep eating our lunch.
Is FAIR right for your organization? Find out in an Executive Briefing from the FAIR Institute.
Start by asking “based on the industry you’re in, the kind of data you handle, and the kind of services you provide, what are the loss event scenarios that are meaningful to your organization, just at a high level.
“From there, you begin to break that down into the different ways those events can materialize. For example, outages can occur due to natural disaster, human error, technology failure, or bad actors, whatever.
“So, you start with what the high-level loss event scenarios are that can be really meaningful to the organization. Then go down a couple layers of abstraction, parsing those high-level scenarios into more specific discrete scenarios. Then you do triage FAIR analyses on those scenarios.
“It’s not rocket science, and you don’t have to spend weeks or months going after a bunch of data, this is triage.
“Save the deep data dives for the things that bubble up to the surface once you’ve gone through this, when you need to communicate how much loss exposure one risk or another represents to the organization, or you need to talk about the cost/benefit of improvements.
“You can cover so much ground very quickly long before having to wrestle the data monsters.”
Get a close-up look at FAIR triage in action:
Watch this video from the 2020 FAIR Conference. How to Rapidly Triage Issues with FAIR to Focus on What Matters Most