Jack Jones, RiskLens Chief Risk Scientist, and creator of the FAIR model, spoke today at the Global Board Leaders Summit of the National Association of Corporate Directors, at an “Ask the Experts” panel on cybersecurity – and gave the room full of board directors some pointed direction on challenging the status quo on cybersecurity in their organizations.
Asked about the role of frameworks in general and the NIST Cybersecurity Framework in particular (which recently added FAIR as a resource to the CSF), Jack said “Those frameworks are marvelous as lists of good practice. But they don’t answer the question, ‘So what if there’s a deficiency’…Ideally that ‘so what’ is answered in economic terms. How much loss exposure does this deficiency represent?
“Using that, we can prioritize more effectively. We can identify not only what our top risks are, but how much loss exposure they represent, and the cost benefits of improvements.” Those are, of course, the benefits of quantitative cyber risk analysis with FAIR.
Jack said that prioritization starts with identifying the “crown jewels” of the organization. “But especially when it comes to consumer data, I’ve seen organizations say all consumer records are crown jewels…
“You’ve lost the game out of the gate when you hear that…If you think you can protect all of those records in all their instances throughout the organization, with that same high level of security, it’s not going to happen. You have to identify those larger volumes that, if those are compromised, that’s when you feel real pain to the organization and when large numbers of people are affected.”
One director asked from the audience how to get a list of “critical basics” to “help me make decisions.”
Jack’s pointed reply:
“I would say the first thing you have to do is make sure your organization has identified its top risks. And once you understand that, then you can begin to measure…the progress you are making in terms of reducing risk.
“But here’s the point I want to drive home -- and if this makes you uncomfortable, good – and that is, no organization I’ve walked into in recent years has done that.
“They have no idea what their top risks are which means their focus for measurement and management, isn’t necessarily what it needs to be. That to me, is a huge problem. You have to solve that before you can hope to achieve what you’re looking for.
“If you go back to your organization and say, ‘What are our top risks?’, and you see things like phishing or the cloud or Internet of Things or ransomware, you have a problem. Those aren’t risks. Those are part of the risk landscape, but they aren’t risks. And they can’t be measured as risk if they can’t be prioritized as risk, and if that’s where you are today, your organization has some work to do.”
Jack gave the audience a quick introduction to the FAIR model and its focus on risk as a loss event. “Outside of having this framework, cyber risk can feel very complicated, and hard to get your arms around, but once you have a framework like this to evaluate it with, it becomes much more manageable, from a measurement perspective.”
In addition to pressing cybersecurity management for clarity on top risks, Jack said that board members should demand they start doing “root cause analysis” when controls fail repeatedly. “When a problem occurs ask ‘why’ at least five times to get to root cause. Research I’ve done finds that 80% of the problems are due to one or two systemic problems, deficiencies from a management perspective in an organization and if you treat those root causes, you make huge headway in terms of not fighting the same battles over and over and get overall greater results.”