Zach Cossairt, Information Risk Program Manager at Equinix, the global data centers company, spent nine years on active duty as a member of the U.S. Navy Submarine Force. During his time at sea, he was responsible for aggregating and analyzing data from intelligence sources and informing mission-critical decision-making of the ship’s leadership.
He earned a Bachelor of Science in Security and Risk Analysis from Penn State University and now studies Judgment and Decision Making in the Master of Arts in Behavioral Economics Program at The Chicago School of Professional Psychology.
The FAIR Institute honored Zach Cossairt with the 2021 FAIR Business Innovator Award for his work bringing cyber risk quantification to Equinix.
Q: How did you first hear about FAIR?
A: My first exposure to FAIR was during my undergrad at Penn State. The inaugural course was on security risk assessment and I learned about FAIR in that context. There was no turning back from there for me. You can say that imagery from Jack and Jack [Jones and Freund, authors of Measuring and Managing Information Risk, the FAIR book] of the “red-pill blue-pill” moment from “The Matrix” closely illustrates the beginnings of my career path.
I utilized FAIR substantially during numerous projects and eventually a capstone project culminating in a FAIR risk analysis and presentation of results. I'd say FAIR and the concepts of quantitative risk analysis played a large role in how I approached that degree and helped guide me throughout.
Q: What benefits has quantification brought to the way you manage risk?
A: Substituting the word “measurement” for “quantification” has probably been the biggest game-changer for managing risk in my career and personal life.
Understanding that using annualized frequencies, confidence intervals, etc. was all about measurement helped clarify and further my understanding of risk management.
Before attempting to prioritize resources to manage risk, you must reduce enough uncertainty to make comparisons and evaluate choices. FAIR’s focus on quantification brings the benefit of using data instead of vague vocabulary to communicate uncertainty. Shout out to Evan Wheeler for that one.
Q: What are some tips that you would give about effectively communicating risk to leadership?
A: I have two broad advice themes for anyone looking to successfully communicate quantitative risk analysis results – humans and framing. The latter builds on the former, and both are crucial factors to consider.
The human element of risk is by far the most challenging aspect of what we do. There is always a personal agenda, difference or similarity of opinions, healthy skepticism, and a whole lot of cognitive bias between you and your audience for the risk analysis.
In the business of risk, we are looking forward and driving best resource prioritization around future loss events that may or may not occur. We are asking a decision-maker to incur costs up front to reap benefits later.
Cognitively speaking, we are not good at projecting the future benefits of our current choices, which is exacerbated when you put more time between the two. The key to mitigating this is focusing on our choice architecture. Fans of Richard Thaler and Cass Sunstein’s acclaimed book Nudge will recognize some of these concepts.
Choice architecture is what we do on a day-to-day basis when we communicate risk results to decision-makers. Think of the report you generate as the environment where alternatives are framed as choices. We should do our best as risk managers and choice architects to make it as easy as possible to map present choices with future outcomes. This sounds like a good return on risk mitigation assessment using FAIR.
Q: What are you seeing as some other key issues facing the risk management profession where quantification can help?
The biggest opportunity is to understand that as risk professionals we are tasked with enabling our leadership to make better decisions in the face of that uncertainty.
There are several options available to enterprise leadership, some better than others, and measurement can help reduce the amount of uncertainty between the options. That is very impactful and shouldn't be taken for granted.
Securing the information assets that the enterprise is holistically responsible for protecting is just another form of uncertainty our leaders must deal with. It is daunting because security boundaries are blurring as the business need for digital transformation continues to surge and new security weaknesses are discovered and exploited by threat actors continually. This makes our problem worse and presents tremendous uncertainty to keep senior leaders and Board members up at night.
As Douglas Hubbard has noted, measurement or quantification can be a workhorse at reducing uncertainty when there is a whole lot out there. Hence, we should leverage it successfully in cybersecurity considering other areas of business have been doing it successfully for so long now.
Disclaimer: The opinions expressed in this interview are Zach’s only, and do not reflect those of his employer.