The FAIR Institute’s newest Advisory Board member, Kim L. Jones, is Professor of Practice and Director of the New College of Interdisciplinary Arts and Sciences' Cybersecurity Education Consortium at Arizona State University, where he’s pioneering the development of what he calls cybersecurity “renaissance” men and women, equally at home with the technical and business sides of the profession—and fluent in FAIR risk analysis and communication.
Kim will be a great source of guidance as the Institute pushes forward with its education program, now in partnership with 16 universities, including ASU.
Kim’s own background is of the renaissance-man variety: 30 years in information security, with 11 years as an Army intelligence officer, concluding with a tour at the NSA, and infosec roles at aerospace, call center and financial companies, especially in credit card services.
Before joining ASU in 2016, he was Chief Security Officer at Vantiv, the third-largest credit/debit card processor in the US, where he built the cybersecurity program after the company separated from Fifth Third Bank. He also runs his own firm, Ursus Security Consulting which offers risk strategy, governance and security assessment services.
Kim was an early adopter of FAIR, starting in 2012 at Vantiv. “I see FAIR as solving a fundamental problem that centers around risk articulation in a factual manner,” Kim says. “While dealing with something statistically viable, we now have a common taxonomy and language to communicate not just to security professionals but to business and financial folks.”
More on Kim’s thinking on the state of the cybersecurity profession – and why the chronic shortfall in cybersecurity talent in the workplace:
Q: You’ve seen a long swath of history for the world of cyber defense. What’s changed since you started in military cyber intelligence?
A: Twenty years ago, when I was doing intelligence and counter intelligence, the question I was asking was "Why are we still concerned with Coke can dead drops when we have this thing called a floppy disk, where I can put a safe’s worth of information in my pocket and walk out of the environment?" We were just beginning to come to grips with the idea that, by networking different systems together, we not only create efficiency, we create vulnerability without understanding the risk factors.
In the military or civilian worlds, it’s been the same paradigm of convenience vs. risk leapfrogging ahead because of the speed of change and frankly, our collective inability to articulate that risk in a meaningful manner.
More than 3,000 forward-thinking risk professionals are members of the FAIR Institute. Join them (it's free).
Q: Fast forward, how do you see the current landscape for cyber risk?
A: Those of us who have been in the industry for more than 10 years have seem this coming. I gave a presentation in 2000 called "The 21stCentury CISO" where I made the prediction that we are quickly moving out of the OSI stack and a technology based economy to a data driven economy. When data becomes the absolute value, what are we going to do to protect its movement beyond just saying ‘encrypt everything,’ which is a stopgap solution. At that time, it was considered a radical idea. Now we are living that radical idea.
Also, the definition of critical infrastructure has become blurred, and that’s given you a bigger target space to defend and with people and organizations that are not necessarily driven by national interest but shareholder interest or stakeholder value. The first requirement in driving shareholder value is, to use the C-I-A triad, Availability or how to make resources available to customers in a seamless way—not necessarily protecting the crown jewels (Confidentiality) . Reconciling those mindsets in a way that makes sense is hard and gets harder if we don’t have a method of quantifying and articulating risk out in the environment.
Q: How does FAIR fit into this picture?
A: Prior to FAIR, we had yet to come up with a methodology that is viable and accurate to put in front of decision makers to say, "You can generate $20 million worth of revenue but you’re taking on an additional $15 million of risk," that is a statistically relevant and accurate– that’s been the Holy Grail of the cyber risk environment for many a year. That’s the good news.
The challenge for FAIR is to take it to the next level. FAIR analyses don’t scale down well. The value proposition when you get beyond say the Fortune 500 to smaller shops or mid-tier organizations who may fit in that critical infrastructure is iffy. Such organizations just want to lower their risk. For them, the important question is not just the quantification but rather a mechanism that allows the FAIR user to say “if I adjust these three things, I can bring that risk figure down from 10 to 5 or whatever.” Until we can do that, we’re going to have a problem promulgating the FAIR methodology as best we might.
Problem two is that FAIR requires a base knowledge of statistics. If you have to defend the statistical viability of the results you get through FAIR, to say it’s more than another bunch of smoke-and-mirrors numbers, how are you going to translate that knowledge to the old guys and gals who are running the environment and haven’t had a statistics class in 30 years? More importantly, how are you going to equip the new guys with that knowledge?
(EDITORS NOTE: There are now enterprise software solutions available in the market that guide users through such risk analyses without requiring advanced statistics skills, including our Technical Advisor, RiskLens)
Q: You wrote a white paper a while ago on the ‘Security Warrior 2.0’ as a critique of the education process and more generally the mentality in the cybersecurity profession. What was your point?
A: We get two types of individual produced from an academic point of view for the cybersecurity profession.
The first type tends to come out of engineering schools: They’re great at the technology, they’re great coders and their critical thinking skills outside of programming are so-so. They don’t understand how the bad guy thinks and they don’t understand governance, risk and compliance.
Then we get great governance folks usually coming out of business schools who have some understanding of technology but not in enough depth to figure out how to implement, to know the technical tradeoffs and challenges. They tend to be very focused on audit and controls without understanding potential impacts within the technical environment, or the critical thinking skills to know ‘how do I make lemonade out of two apples and a kumquat’ in this environment.
Security requires a holistic, interdisciplinary view and I’m seeing academic institutions not willing to be interdisciplinary. It’s one of the reasons why we have a shortfall in talent now, because academia is not responding to our needs and producing the type of individuals we need.
For me, the overarching goal in producing future cybersecurity warriors is to produce that renaissance individual. I built my program at ASU around that. FAIR, in my opinion, is a component of what the renaissance individual needs to know and understand.
Hear Kim Jones speak as moderator of the panel discussion “Dealing with Ransomware: Pay the Ransom or Pay More by Dealing with the Consequences?” at the 2018 FAIR Conference, October 16 and 17 at Carnegie Mellon University, Pittsburgh. See the FAIRCON18 agenda here.