5 Insights from FAIR Creator Jack Jones on Transforming Your Risk Management Organization

July 16, 2019  Jeff B. Copeland

RiskLens Co-Founder and Chief Risk Scientist Jack Jones created the  FAIR model for quantitative cyber risk analysis that powers the RiskLens analytics platform and wrote  Measuring and Managing Information Riskinducted into the Cybersecurity Canon as one of the most influential books for risk professionals.

But Jack isn’t just a technical expert on information risk—he’s long crusaded for a change in how we think about – and act on --  business risk analysis.  As he said in his recent keynote address to the 2018 FAIR Conference ( watch the video– FAIR Institute membership required), “understanding why we operate the way we do as a profession” is the starting point for any progress.

Here are some of Jack’s insights that might change your thinking…

“One of the significant hurdles we have to overcome as a profession is our addiction to ‘zero cost” risk measurement’

--blog post:  Zero Cost Risk Management

Jack argues that qualitative risk management measurement – such as arranging risks on a heat map based on “expert” opinions – is so widespread because it’s so easy, but it masks a real cost later down the line – see the next quote.

“Unfortunately, an inability to prioritize effectively or understand the cost-benefit proposition of our risk management efforts is a gift we hand [threat communities] every day. It’s also something within our reach to fix if we take it seriously.”

--Article in  Homeland Security TodayFinding the Right Path with the Cyber Risk Management Cheshire Cat

Quantitative cyber risk management gives businesses a means to focus remediation where there’s the most risk, as opposed to the spread-evenly mentality fostered by following “maturity models” like the NIST CSF list of best practices. Jack calls the ability to priorities true maturity in risk management, as he argued in his FAIR Conference  keynote address.

Jack Jones delivers a keynote address at FAIRCON 2018“What FAIR does is simplify the problem by providing a relatively noncomplex lens through which to view and evaluate the complex risk landscape.”

--from the book  Measuring and Managing Information Risk.

The FAIR model that the RiskLens application was built on is simple enough to grasp on sight  ( download an infographic here to see what we mean). In an environment in which cyber risk analysts and managers have too much data coming at them too fast, FAIR is a tool to cut through the mental clutter.

“Contrary to common beliefs (or fears), there are only two prerequisites to effectively adopting FAIR within an organization: At least one clear and specific value proposition for using it, and critical thinking skills”

--eBook:  An Adoption Guide For FAIR

In this eBook, Jack shows how to introduce FAIR to an organization from this simple two-part starting point—everything after that is changing minds and longstanding practices.

“CISOs need to understand technology and business, but I believe the focus needs to be on understanding them as inseparable parts of a whole rather than as somehow distinct from one another.”

--Blog post:  A Question of CISO Focus: Technology or Business?

For cybersecurity veterans, adopting FAIR is changing your conception of your job role from primarily an IT focus to a focus on the priorities of the business. FAIR gives information security professionals the means to understand and communicate cyber risk in financial terms, the language that the rest of the business operates on.