In this short video, Jack Jones tackles one of the biggest challenges for information security practitioners: Putting a value on the company assets they protect. As Jack says,”our guts will tell us something is important but then being able to communicate that to management in a way that makes sense to them is really problematic.”
Get a fresh take on the security value proposition from one of the leading thinkers in information security and risk management, and the creator of Factor Analysis of Information Risk (FAIR), the standard quantitative model for cybersecurity and operational risk.
Jack was interviewed at the 2017 RSA Conference for CybersecurityTV by Terry Roberts, CEO and Founder of Whitehawk, Inc.
Q: We’re going to talk today about the value of information security. Over to you, Jack.
A: One of the big challenges we face in our profession is understanding and articulating the value proposition for all the things we think are important. Our guts will tell us something is important but then being able to communicate that to management in a way that makes sense to them is really problematic.
Q: So if we’re talking to the C-suite, what are the top two or three points we want to make?
A: Well, I think, one of the important things is, security is a means to an end, and that end is an acceptable level of risk to the organization.
I could unpack that whole phrase, and parse it out and dissect it for you but it boils down to essentially being able to measure the ways in which harm can occur to theorganization,and the likelihood and impact of those events. And then what is the effect of this security initiative or that thing on the probability or impact of those events.
Q: From a previous job or maybe un-named customers, could you give us a scenario? Because sometimes it’s really hard for regular managers to get their heads around this.
A: Sure, so an example from an organization I worked for, we had decided that we were pretty exposed to an APT sort of threat and we figured our perimeter, as good as it was, was still a perimeter with all of the porousness that comes with that today.
And the expectation was that if an APT attacked, they would be able to get inside and we’d only identify them if we tripped across them because we just didn’t have the things in place that you need for that.
Nowthis was the middle of the budget cycle, which is never a good time to go ask for money from management. So what we did was, we said alright, how much risk do we face from these kinds of events today, let’s quantify that, given our current control conditions and such. Now if we applied this control measure or that control measure, things we were looking for funding on, how much less risk will we have?
So instead of having to go to management and say we’re scared about this, we think it’s quote-unquote high risk, we need to spend a bunch of your money to deal with it–trust us–we were able to say here’s what our loss exposure is in economic terms today, and now if we apply this control at this cost, here’s how much less risk we’ll have.
That was the easiest money we ever went after because they understood both the measure itself but the other thing that was really important was, we were able to articulate how we came to those measurements in terms that we could defend, which, again, has been really problematic in the industry.
Q: I think you’re involved with the FAIR Institute? Could you tell us a little bit about that?
A: The FAIR Institute is a non-profit organization intended to establish a community of professionals in our industry who want to evolve the practices, share the challenges they face, and how they’ve applied FAIR to good advantage. In a year now we have over a thousand people from around the world that have signed up for this. It’s a free membership, and it’s a tremendous source.
Q: And the kind of members are?
A: You name it. We have CISOs, we have CROs, we have some CEOs and CFOs, we have down in the weeds threat intelligence analysts, people from all sort of walks of our professional life, so to speak.
Q: Very interesting. CROs, chief risk officers, is really a development and a trend that’s growing. Could you frame it for us, to close things out?
A: Organizations have always sort of addressed risk in piecemeal fashion, maybe credit risk over here and market risk over there, then there’s this information security thing that nobody wants to deal with from a business perspective.
So a lot of organizations, sort of being led by the financial services industry, have established this chief risk officer position to say, alright, risk is this over-arching business challenge or concern, we need to have a way to pull these different silos together, understand them in context, be able to prioritize amongst them, and make sure they’re doing smart things from a risk management perspective. So that’s really the purpose of the CRO…Any of the risk disciplines should fall under the CRO.