Meet the FAIR™ evangelist at the US Department of Agriculture, Caleb Juhnke, a contracted Senior Cyber Risk analyst, part of the leading edge introducing quantitative cyber risk analysis to the federal government (alongside the Department of Energy and NASA – watch their session at the last FAIR Conference).
Caleb’s thinking on risk management was shaped by his experience in the US Navy’s submarine force. “When your goal its being undetectable,” he says, “almost everything presents a risk to safety and the mission. I really learned the importance of quickly identifying risk into categories and prioritizing. ‘When everything is a risk, nothing is’ can be a very dangerous mindset that experienced submariners have to be intentional to avoid.”
Like many FAIR practitioners, Caleb discovered (at the suggestion of a mentor at USDA) the FAIR book, Measuring and Managing Information Risk, to get past a risk management roadblock – in his case, prioritizing the required federal POA&M’s (Plan of Action & Milestones) for information security risks.
Learn about specialized FAIR training for federal government risk analysts through the FAIR Institute.
Watch Caleb's conversation with Luke Bader, Director of Membership and Programs for the FAIR Institute:
The reality was, Caleb says, “When you have no agreed upon-metric of ranking, you default to what matters most to the organization…We were prioritizing on which risks on been on the books longest – and that’s not a good way to do risk management. That project was when I was first introduced to FAIR and I feel like that was just the start of the journey.”
Since then, Caleb has been leading the agency on what he calls “baby steps,” mainly to introduce the standardized terminology of FAIR and the technique of analyzing risk in scenarios. “We’ve been able to apply that across the board and that’s empowered and enabled conversations between operations, strategy and management that’s been really fantastic.”
Read a blog post for the FAIR Institute by Caleb: What to Do After You Pitch Quantitative Risk Analysis.