A dialogue with Jack Jones
Jack is the foremost authority in the field of information risk management. As the Chairman of the FAIR Institute and co-founder and EVP R&D at RiskLens, he continues to lead the way in developing effective and pragmatic ways to manage and quantify information risk.
As a three-time Chief Information Security Officer (CISO) with forward-thinking financial institutions such as Nationwide Insurance, Huntington Bank and CBC Innovis, he received numerous recognitions for his work, including: the ISSA Excellence in the Field of Security Practices award in 2006; a finalist award for the Information Security Executive of the Year, Central US in 2007; and the CSO Compass Award in 2012, for advancing risk management within the profession.
Prior to that, his career included assignments in the military, government intelligence, consulting, as well as the financial services and insurance industries. Jack is the author of FAIR, the only standard quantitative model for cybersecurity and operational risk. A sought-after thought leader, he recently published the award-winning book 'Measuring and Managing Information Risk: A FAIR Approach' and is a regular speaker at industry conferences.
ITSPmagazine had a chance to catch up with Mr. Jones to explore how his role in InfoSec started, progressed, and is now making an impact on the world we live in.
ITSPMagazine: How and why did you enter the field of infosec?
Jones: In the 80s I was a sysadmin for a mid-sized bank. A volunteer was sought to head up a project regarding desktop viruses, and I thought this sounded interesting so I volunteered. I like to create things and solve challenging problems. This seemed important, impactful, and satisfied my desire to do something off the beaten path and explore.
At the time, virus technology was nascent. I needed to understand this in depth, so I decided to write a virus myself – in assembly language no less! Armed with this understanding as my entry, I began my crusade.
As viruses became more prevalent, I wrote a note to all bank personnel to educate them on the dangers of viruses and what they could do to protect themselves. I got a note from the CEO the following day expressing his appreciation for the effort. These early experiences fed my interest and energy for this space.
ITSPMagazine: What inspires you to do your job each day?
Jones: I am what you might think of as a reluctant entrepreneur. If I didn’t have to make money doing this, I’d still be working just as hard on this today. I feel that this is really important work. Organizations today are so grossly immature in managing the risk of cyber threats that it’s become a personal mission of mine to help jump start the evolution in this space so we can be much more effective than we are today.
To illustrate our poor shared understanding of risk, I will often put a slide up that has a list of threats, deficient controls, and assets:
- Disgruntled insiders
- Internet-facing web servers
- Untested recovery process
- Network shares containing sensitive customer information
- Weak passwords
- Cyber criminals
I then ask the audience to identify which are risks, and they invariably say “all of them” and thus fail because the fact is that none of them are risks. Our use and understanding of fundamental nomenclature is so imprecise and loose that it is a tremendous impediment to our ability to measure risk. And if we can’t measure well, we can’t prioritize, and we can’t communicate effectively to stakeholders. This is just one of the foundational problems we face as an industry.
ITSPMagazine: What’s your vision and view for how FAIR, coupled with an understanding of risk, can have a positive impact on society?
Jones: The Open Group (http://www.opengroup.org/) adopted FAIR as their standard for risk measurement a few years back. They have produced a number of resources including professional training and certification testing in the area. This has helped lend credibility to FAIR.
FAIR has been included in a number of universities’ Masters curricula. Carnegie Mellon University and others have adopted FAIR as a teaching vehicle on the cyber security side. However, it’s worth noting that FAIR is agnostic, you can use it to analyze any form of risk, not just cyber. Interestingly, San Jose State University includes this in their economics curricula, as it measures risk in economic terms, dollars and cents. Others have used it to perform a cost/benefit analysis for bicycle lanes in a municipality, analyze handgun safety in schools, etc.
If an organization adopted FAIR for no other reason than to standardize terms and have an ontology so folks know how the terms relate to each other, massive progress could be made. Normalization of the mental models of risk management provides huge benefits.
In short, if we can’t properly identify, quantify, measure, prioritize, and communicate risk to stakeholders, everything downstream is a loss, and that’s largely where we are today.
ITSPMagazine: What role do vendors play in their use of terminology in their products and marketing language?
Jones: I’m so glad you asked. The vendors have recognized that the word “risk” is important. So the word is liberally used – usually incorrectly. Unfortunately, the audience that they are presenting to are very often not aware of this fact, and buy the product because it “manages risk”. Tools aren’t necessarily bad – many provide real value, but the role they play is misunderstood and sometimes misrepresented.
ITSPMagazine: Do boards understand risk?
Jones: Generally, they have a good intuitive sense of risk. They got to their station by making decisions in pursuit of an upside, evaluating risk. They are often a more receptive audience than others in the technology profession.
However, the “tolerance stackup” issue pertaining to the definition and understanding of risk between vendors, technology buyers, boards, standards bodies, industry analysts, and even regulators leads to a cacophony of voices without any foundation for real communication.
Standards bodies trying to do the right thing, but even they are often working with a definition of risk that is badly broken.
FAIR is focusing on all four groups. Much of the material and resources are offered at no cost.
ITSPMagazine: What impact on society do you hope to have personally as an executive for a security company?
Jones: Let me tell you a story. At the bank, we had massive amounts of credit card data. PCI directs companies to encrypt data at rest. I talked to a vendor about our needs and they said no problem, it will cost millions of dollars and take 18 months to implement. I went back and evaluated the risk scenarios where encryption of data at rest was relevant (as a control), and then said, “how much risk do we have in these scenarios today without encryption”, and “if we deploy encryption, how much less risk will we have?”, and then looked at whether there were different controls I could use other than encryption that are relevant to these same scenarios. Turns out there were, and I examined those. As it turned out, I was able to effectively mitigate the risk using alternative controls, show it to the auditors, and they signed off on it. We saved millions of dollars, a ton of time, and ended up with a better risk profile.
Understanding risk results in very real cost benefits for organizations. Invest where it demonstrably makes sense, and stop chasing ghosts.
For industries like FinServ, being able to share information between organizations in a meaningful fashion is hugely important. Recognizing this, the Federal Reserve recently came out with proposed changes to regulations around cyber risk. Some of their proposals include this notion of risk quantification, even mentioning FAIR.
Unfortunately, there’s often violent objection to quantification, mostly because those subject to said regulation don’t really understand risk and don’t have mechanisms in place to measure it. Perhaps most important is the misperception that doing so would be impossible at worst or difficult at best.
So, my goals are to help organizations cut through the misperceptions about risk, and ground their decision making in repeatable, quantifiable fact.
ITSPMagazine: Who is the owner of risk management?
Jones: It’s the business. It’s not the CISO or Chief Risk Officer. It’s the execs making business decisions. It’s these decisions that introduce risk. They are continually adding to or changing the risk landscape the org lives in while being hobbled with two big disadvantages. First, they’re not being given good information about how much risk they are introducing and therefore make poor decisions, and second, are not held accountable. The CISO (on the cyber side) can’t be held accountable for this.
The CISO’s role is educator, facilitator, and problem solver. They have to understand the business objective, the risk landscape, and then communicate how those things work so that the people moving the business forward can make well-informed decisions. In my own career I have been more effective as an influencer than as a sheriff with a badge and a gun.
ITSPMagazine: What low hanging fruit exists for organizations to make forward progress in the realm of risk?
Jones: It comes back to terminology. It’s that simple. Once you have that figured out, everything else becomes possible. It is the lynchpin.
To illustrate, in a recent presentation I used an online polling question to ask the audience to identify their greatest pain point and their answers indicated their lack of understanding. The choices were:
- Confusion about risk
- Setting priorities
- Risk measurement and communication
Most picked #3, and least was #1. But that’s backward. They don’t even recognize that they have a problem understanding what risk is, and until they do that, measurement and communication can’t happen.
ITSPMagazine: Are the industry analysts any better with regard to their understanding and communication about risk?
Jones: About three years ago at a major analyst conference, three different analyst presentations said that risk quantification is impossible – it can’t be done. Three years later their story had changed. It can and should be done. The bad news, however, is that we’ve recently seen materials that indicate that they still do not understand risk, and their content will be confusing their customers. It’s clearly a work in progress.
ITSPMagazine: A number of stories have been circulating recently making the argument that doing nothing, rolling the cyber security dice, isn’t necessarily more expensive than buying cyber tech. Even if a breach happens, it’s cheaper to gamble.
Jones: I think there is some basis to that depending on your industry. There’s a lot of hype and exaggeration around cybersecurity risk but I think there is middle ground. I’m frankly glad they are asking the question. I think organizations who are serious about risk management should want to understand and answer that question. “Are we wasting money?” “Are we being infective in our use of resources?” Every organization I’ve run into the answer is “Yes”, because they are making uninformed decisions. I wouldn’t’ suggest doing nothing. There’s middle ground there, and it begins with understanding and communicating.
To help promote education and understanding, here’s some links to relevant blogs:
About Jack Jones
Jack Jones is one of the foremost authorities in the field of information risk management. As the Chairman of the FAIR Institute and Executive VP of Research and Development for RiskLens, he continues to lead the way in developing effective and pragmatic ways to manage and quantify information risk.