Jack Jones Podcast: How Can You Remove Emotion From Cyber Security Decision Making?

April 16, 2020

Do you have the following questions?

  • How can I lower and reduce the Signal to Noise Ratio in my IT Security Program?
  • How can I apply rigorous and precise thinking to my IT Sec Program?
  • How can I quantify loss exposure within my IT Sec program?

So many people want to discuss how the pace of technology innovation is increasing complexity and also causing mistakes to happen. Many of them are human error. Not many people want to discuss how to solve this problem and how to deal with it.

Jack is different and his main goal is to slow down and apply logical and critical thinking to the process.

Jack Jones is widely considered a thought leader in risk management and information security. Jack has been employed in technology for the past thirty years; specializing in information security and risk management for twenty-four of those years. During this time he has garnered a decade of experience as a CISO, including five years for a Fortune 100 financial services company. His work has also been recognized by his peers and the industry, earning him the 2006 ISSA Excellence in the Field of Security Practices award, and the 2012 CSO Compass Award for Leadership in Risk Management. Jack is the originator of the now industry standard risk management framework known as Factor Analysis of Information Risk (FAIR). FAIR has seen adoption globally, within organizations of all sizes, and is now regularly included in graduate-level university courses on information security and referenced by other industry standards. He also recently co-authored a book on FAIR entitled “ Measuring and Managing Information Risk – A FAIR Approach“. Today, Jack is the President of CXOWARE, Inc., serves on committees for both ISC(2) and ISACA, and is a regular speaker for national conferences.

There are a few key takeaways from my conversation with Jack:

  • The importance of thinking with rigor precision.
  • How to remove emotion and irrational discussion about cyber risk
  • The importance of quantifying loss exposure and how to do this.
  • Key questions to ask using the FAIR model.
  • Do you need to be good at Math in order to use a FAIR model….the answer will surprise you. No
  • Apply deeper and logical thinking to your IT Security and Risk Analysis.
  • Frame conversations into a nomenclature that you can discuss with the business (Fair on a page).
  • Deal with complex security problems effectively.
  • Quantify in risk, dollars, and expenses.
  • How you can take hundreds of vulnerabilities down to four by asking the right questions?
  • Beware of the blind acceptance of tools. You can get paralyzed with volume due to increased Signal to noise.
What can a CIO learn from reading or listening to this interview:

  1. You must ask probing questions.
  2. You have to question assumptions.
  3. Apply critical thinking and rigor and less superficial thinking.
  4. Blind acceptance of tools is bad.
  5. Get a foundation nomenclature and foundation of terminology in place. How does your company define risk? Must get the business to one answer.
What are the two Key Questions that every CIO must ask their team about sensitive data:

  • Is an authentication filter behind this system?
  • How many sensitive records are behind this system?
Jack is the inventor of:

  1. The FAIR Factor Analysis Information Risk analysis method for IT Security. (link to site)
  2. He is the author of a book called: “Measuring and Managing Information Risk.”
  3. Founder of the OpenGroup which publishes standards and professional certifications related to FAIR.