If there’s one thing that FAIR creator Jack Jones has taught us, it’s to question conventional wisdom in cyber risk management. In that spirit, Paul Guckian, a veteran BISO and interim CISO, and a stalwart of the FAIR Institute London chapter, has adapted how he communicates on those foundational concepts of FAIR, probability and impact.
Paul explained in this short video hosted by FAIR Institute Memberships and Programs Director Luke Bader:
Watch It Now: Meet a FAIR Institute Member, Paul Guckian
“My experience is that non-technical leaders in particular have a real difficulty with probability in terms of security. Our probability in cyber is pretty low and unfortunately the impact is really high.”
Paul cited the recent hack of Jaguar Landrover that actually put a dent in the UK’s economy. “Lots of UK boards are asking ‘How could a whole company grind to a halt on the basis of something that happened on a help desk?’”
“I don't think boards can really wrap their head around the fact that these small things can lead to big catastrophes.”
“I’ve started talking a lot more about impact and less about probability…All they care about at the end of the day is impact to a business unit, and that’s the language we need to start talking more.”
Similarly, Paul has found that advocating that the business set a risk appetite is a nonstarter. They “have no clue” on risk levels. “What we are really talking about is impact tolerance…like how many days can this system be down before we know we’re in trouble.”
“We need a language in the middle” between a more technical approach to risk management and the bottom line – “and that’s where quantification can help.”
Learn more about Paul Guckian’s approach to cyber risk quantification and FAIR – watch the Meet a Member video.