New York Times reporters Stacy Cowley and Nicole Perlroth turned to FAIR Institute Chairman and RiskLens Chief Risk Scientist Jack Jones to answer the question, why are big banks in an Endless Fight with Hackers, as their article on the massive Capital One breach asks.
This post originally appeared on the FAIR Institute blog.
The Times quotes Jack saying that security experts are likely to home in on the apparently simple mistake made by software developers at Capital One — the bank is only saying it was a “configuration vulnerability” in its security software found by accused hacker Paige Thompson that permitted exfiltration of financial records on over 100 million people.
But simple mistakes are common when it comes to online security, Jack goes on to say. Every big organization faces a huge number of threats daily. The problems is that “They’re lost in noise. Nobody has this nailed down.”
It’s not for lack of support from uncaring boards or senior executives or even from insufficient penalties from regulators or the courts (Capital One is already the target of a class action lawsuit), Jack argues.
The core problem is poor risk measurement leading to poor prioritization of security efforts. Cyber defenders get lost in the noise of CVSS scores or other vulnerability counts, qualitative red/yellow/green risk ratings and “maturity” scores based on compliance with controls frameworks—rather than a focussed effort to identify crown jewel assets, gain good visibility into threats and controls, effectively measure risk quantitatively, and push through to a root cause analysis of systemic failures.
Jack, of course, has been crusading for progress on all those fronts through his development of the FAIR (Factor Analysis of Information Risk) model for risk quantification and leadership of the FAIR Institute. It’s paying off, not just in recognition of his thought leadership, as evidenced by the Times article, but in the tangible growth in FAIR practitioners worldwide. Membership in the FAIR Institute has now passed 6,000, with representatives from about one-third of the Fortune 1000–including many big banks.
Read the New York Times article For Big Banks, It’s an Endless Fight With Hackers.