“I was just expensive noise. The fact that I couldn’t express the value proposition of cybersecurity was a real problem in senior executives' eyes.” That’s Jack Jones describing the painful moment of his career as a CISO that set him on the path to creating Factor Analysis of Information Risk (FAIR), the analytical model for breaking down cyber risk into financial terms that business leaders can understand.
In this one-hour webinar, you’ll hear Jack run through the many blind spots, distractions and dead ends that keep infosecurity professionals from realizing their true value or Jack puts it, “Our job as professionals is not just to help our organizations manage risk but to help our organizations manage risk cost effectively.” That means, “We have to understand and be able to relate our value proposition to the organization.”
Scroll down to watch the webinar “A Fireside Chat with Jack Jones” now.
Jack takes on cybersecurity “maturity models”, useful for identifying gaps in defenses but “none of them…characterize the ‘so what?’ in gaps… of the things we are worse at, which ones matter most?” Without a rigorous fact-based analysis, there’s no way to come to an answer with any reliability.
Same thing for formal models—and Jack shows how one risk measurement model in particular has a glaring logical hole.
It’s an example of the lack of attention to detail in qualitative risk assessment that Jack says he sees all the time: “They haven’t defined in their own minds what it is they have just measured.”
And then there are seeming quantification methods that Jack sees as just replacing words like “high-medium-low“ with numbers. “You can’t do meaningful math on ordinal scales,” Jack says.
Jack covers more of the pitfalls of conventional cyber risk analysis, then goes on to give a high-level introduction to FAIR, which he calls “a straightforward model for risk” that “provides us the formula for doing analyses.” Jack also gives an introduction to RiskLens, the analytics software built for organizations that want to implement FAIR in an efficient, scalable way. “We are beginning to see a lot of organizations say ‘yeah, we do FAIR too’ but some of what I’ve seen out there that claims to be FAIR is incredibly badly done, and done in some cases by people not remotely qualified.”
“I’ve been working on this for 17 years,” Jack says, as the CISO for three companies, and an industry consultant, and his new Adoption Guide for FAIR "tries to capture this hard-won experience.” Read the book, along with Jack’s Executive Guide to Cyber Risk Economics for an accessible introduction to the theory and practice of FAIR.