Welcome to the CXOWARE blog. We hope you’ll join us for lively and good natured discussion about risk and risk issues!  We’re risk geeks, plain and simple. We’re big advocates of the Factor Analysis of Information Risk (FAIR) framework for quantifying risk.

It’s still a choice

By: Jack Jones

Find me on:

This post is prompted by an “enthusiastic debate” about regulatory compliance I had recently with another gentleman in our profession.

I’d love to take a poll of infosec professionals to find out how many of them adhere strictly to speed and other traffic laws when they drive. Why? Because many of these are the same people who state with conviction that, when a law/regulation exists regarding information protection, an organization MUST comply. While we might wish that were true, the fact is that compliance is ALWAYS a choice. It’s just another risk decision; usually a trade-off of some sort. Does the organization prefer to accept the risk associated with potentially being caught and facing legal and other losses, or would they prefer to accept the costs and business impact associated with complying.

The other consideration in play is the fact that many laws are open to interpretation. I’ve been in plenty of meetings where the ambiguity in law is leveraged in decision-making. Not in a malicious, bwah-ha-ha sort of way, but in a legitimate “How do we best manage the cost and risk associated with running a business?” sort of way. And for those who’d argue that’s a terrible thing, I’d bet a close look at some of your own decisions will find a little “harmless interpretation” of the law from time to time.

Of course, some people might argue that you can’t compare speeding, tail-gating, and rolling through stop signs with the damage that can occur from a breach of credit cards or other PII. I beg to disagree. I believe the risk associated with automobile accidents resulting from even relatively simple carelessness or thoughtlessness is significant.

The point is, when we adopt the premise that laws/regulations somehow eliminate choice and decision-making, we’re being naive, and this naiveté comes across pretty glaringly to many of the business professionals we serve and support. It’s just another example to them of the infosec geek lacking perspective and viewing our very grey world in black-and-white terms.

About The Author

Jack Jones
Jack Jones is the EVP of R&D and a Founder of RiskLens. He has worked in technology for over 30 years, the past 28 years in information security and risk management. He has a decade of experience as a Chief Information Security Officer (CISO) with three different companies, including a Fortune 100 financial services company. His work there was recognized in 2006 when he received the Information Systems Security Association (ISSA) Excellence in the Field of Security Practices award. In 2007, he was selected as a finalist for the Information Security Executive of the Year, Central United States, and in 2012, he was honored with the CSO Compass Award for leadership in risk management. Jones, who lives in Spokane, Washington, has served on the ISACA CRISC Certification Committee and RiskIT Task Force, as well as the ISC2 Ethics Committee. He is the author and creator of the Factor Analysis of Information Risk (FAIR) framework. He writes about that system in his book Measuring and Managing Information Risk: A FAIR Approach, which was inducted into the Cyber Security Canon in 2016, as a must-read in the profession.