How Can You Remove Emotion From Irrational Cyber Security Decision Making?

Jack JonesDo you have the following questions?

How can I lower and reduce the Signal to Noise Ratio in my IT Security Program?

How can I apply rigorous and precise thinking to my IT Sec Program?

How can I quantify loss exposure within my IT Sec program?

So many people want to discuss how the pace of technology innovation is increasing complexity and also causing mistakes to happen. Many of them are human error. Not many people want to discuss how to solve this problem and how to deal with it.

Jack is different and his main goal is to slow down and apply logical and critical thinking to the process.

Jack Jones is widely considered a thought leader in risk management and information security. Jack has been employed in technology for the past thirty years; specializing in information security and risk management for twenty-four of those years. During this time he has garnered a decade of experience as a CISO, including five years for a Fortune 100 financial services company. His work has also been recognized by his peers and the industry, earning him the 2006 ISSA Excellence in the Field of Security Practices award, and the 2012 CSO Compass Award for Leadership in Risk Management. Jack is the originator of the now industry standard risk management framework known as Factor Analysis of Information Risk (FAIR). FAIR has seen adoption globally, within organizations of all sizes, and is now regularly included in graduate-level university courses on information security and referenced by other industry standards. He also recently co-authored a book on FAIR entitled “Measuring and Managing Information Risk – A FAIR Approach“. Today, Jack is the President of CXOWARE, Inc., serves on committees for both ISC(2) and ISACA, and is a regular speaker for national conferences.

 

There are a few key takeaways from my conversation with Jack:

  • The importance of thinking with rigor precision.
  • How to remove emotion and irrational discussion about cyber risk
  • The importance of quantifying loss exposure and how to do this.
  • Key questions to ask using the FAIR model.
  • Do you need to be good at Math in order to use a FAIR model….the answer will surprise you. No
  • Apply deeper and logical thinking to your IT Security and Risk Analysis.
  • Frame conversations into a nomenclature that you can discuss with the business (Fair on a page)
  • Deal with complex security problems effectively.
  • Quantify in risk, dollars, and expenses.
  • How you can take hundreds of vulnerabilities down to four by asking the right questions?
  • Beware of the blind acceptance of tools. You can get paralyzed with volume due to increased Signal to noise.

What can a CIO learn from reading or listening to this interview:

  1. You must ask probing questions.
  2. You have to question assumptions.
  3. Apply critical thinking and rigor and less superficial thinking.
  4. Blind acceptance of tools is bad.
  5. Get a foundation nomenclature and foundation of terminology in place. How does your company define risk? Must get the business to one answer (see link)

What are the two Key Questions that every CIO must ask their team about sensitive data:

  • Is an authentication filter behind this system?
  • How many sensitive records are behind this system?

Jack is the inventor of:

  1. The FAIR Factor Analysis Information Risk analysis method for IT Security. (link to site)
  2. He is the author of a book called: “Measuring and Managing Information Risk
  3. Founder of the OpenGroup which publishes standards and professional certifications related to FAIR

Show Notes

  • “With Cyber Security right now there’s a tremendous amount of emotion and a tremendous amount of opinion, but I have not seen quite the same amount of logic” – How does the F.A.I.R. model solve this problem?
  • Factor Analysis of Information Risk (F.A.I.R.) – “A framework for critical thinking about risk”
  • What are the benefits of F.A.I.R.?
  • How was the F.A.I.R. model developed? What was its genesis?
  • “If I spend all this money you’re asking for, how much less risk will I have?” – The Board has a right to understand the benefit of what they’re spending their money on
  • How can the F.A.I.R. model be used to take the emotion out of an event and present it back to the Board?
  • “70-90% of the high risk issues I encountered, the things that were claimed to be high risk, in fact weren’t”
  • Signal to Noise Ratio – How much of the information being presented to CIOs and CISOs is actually high risk?
  • What problems are caused by nomenclature when dealing with risk in the IT Security industry
  • The Smoke Detector Example – Understanding the difference between Risk and Control Failure
  • How does one get past a list of vulnerabilities to the likelihood of a loss event actually occurring?
  • “There are a handful of questions organizations can use to examine the noise begin filtering things out that matter more”
  • “It’s important that when you’re trying to be more rigorous around analysis that you don’t overdo it”
  • Do you have to be good at math to use a F.A.I.R. model?
  • The 3 problems with measuring in security risk: ambiguity, alignment with the business, and compression
  • Do conversations about IT Security and DR need to be held together now? Is there a difference between the Availability part of technology risk and IT Security?
  • Can a new CIO taking over a company use F.A.I.R?
  • What is your visibility into your assets and the threat landscape look like?
  • Reliability in executing on decisions boils down to personnel understanding what they’re supposed to do, personnel having the skills to accomplish the tasks required of them, and personnel being properly incentivized to make good risk choices
  • A.I.R. and Human error – Running an Internal Phishing Campaign
  • “You have to have the technology and the processes in place to recognize when a compromise has occurred as quickly as possible”
  • Available tools to detect compromises: Net Witness and FireEye
  • How does a CIO convey an organizations current state to a desired state?
  • What’s an easy first step for a CIO to improve their ability to get and maintain a handle on Information Security Technology Risk?
  • To Learn More about F.A.I.R.

Love this episode? Leave a Review 

Share it on your LinkedIn feed.

If you haven’t already, please make sure you leave us a review on iTunes.

About Bill Murphy 

Bill Murphy is a world-renowned IT Security Expert dedicated to your success as an IT business leader. 

Connect With Us On Social Media

Connect with Bill on LinkedIn.
Instagram
Twitter
Facebook

Join The CIO Innovation Mastermind Community

We invite the top 20% of Business IT Leaders for my CIO Innovation Mastermind Events group to participate in monthly discussions on things like VR, AI, and other disruptive & emerging technologies. If you want to become a member, email Chief of Staff, Jamie Luber Jluber@redzonetech.net for more information.

Subscribe To Bill Murphy’s RedZone Podcast