RiskLens Co-Founder and Chief Risk Scientist Jack Jones created the FAIR model for quantitative cyber risk analysis that powers the RiskLens analytics platform and wrote Measuring and Managing Information Risk, inducted into the Cybersecurity Canon as one of the most influential books for risk professionals.
But Jack isn’t just a technical expert on information risk—he’s long crusaded for a change in how we think about – and act on -- business risk analysis. As he said in his recent keynote address to the 2018 FAIR Conference ( watch the video– FAIR Institute membership required), “understanding why we operate the way we do as a profession” is the starting point for any progress.
Here are some of Jack’s insights that might change your thinking…
--blog post: Zero Cost Risk Management
Jack argues that qualitative risk management measurement – such as arranging risks on a heat map based on “expert” opinions – is so widespread because it’s so easy, but it masks a real cost later down the line – see the next quote.
--Article in Homeland Security Today: Finding the Right Path with the Cyber Risk Management Cheshire Cat
Quantitative cyber risk management gives businesses a means to focus remediation where there’s the most risk, as opposed to the spread-evenly mentality fostered by following “maturity models” like the NIST CSF list of best practices. Jack calls the ability to priorities true maturity in risk management, as he argued in his FAIR Conference keynote address.
--from the book Measuring and Managing Information Risk.
The FAIR model that the RiskLens application was built on is simple enough to grasp on sight ( download an infographic here to see what we mean). In an environment in which cyber risk analysts and managers have too much data coming at them too fast, FAIR is a tool to cut through the mental clutter.
--eBook: An Adoption Guide For FAIR
In this eBook, Jack shows how to introduce FAIR to an organization from this simple two-part starting point—everything after that is changing minds and longstanding practices.
--Blog post: A Question of CISO Focus: Technology or Business?
For cybersecurity veterans, adopting FAIR is changing your conception of your job role from primarily an IT focus to a focus on the priorities of the business. FAIR gives information security professionals the means to understand and communicate cyber risk in financial terms, the language that the rest of the business operates on.