The Impact of FAIR on Risk Management with Jack Jones
Welcome to Razorwire, the cutting-edge podcast where we slice through the complexity of cybersecurity and risk management to bring you insights from industry leaders. I’m your host, Jim and in today’s episode, we unravel the intricacies of FAIR (Factor Analysis of Information Risk) risk methodology with none other than its creator, Jack Jones. Jack’s groundbreaking approach has revolutionised how organisations perceive and approach information security risks. So, buckle up as we dive deep into the mind behind this transformative model.
In a fascinating session, Jack shares his journey in developing the FAIR risk methodology and its impact on the business landscape. From facing initial industry scepticism to achieving global recognition, Jack's story is a testament to innovation and perseverance. Alongside the creation of the FAIR Institute and the adoption of his standards across various sectors, Jack also teases his upcoming book focused on the controls analytics model. We discuss the evolving landscape of risk management and the potential for FAIR to automate and improve cybersecurity practices. Get ready to have your perspective on risk quantification transformed!
Key Talking Points:
1. Demystifying FAIR - Discover how Jack Jones broke new ground with the FAIR risk methodology, demystifying risk management for businesses worldwide and why industry giants are adopting his model to navigate the complexities of cybersecurity.
2. Resistance and Triumph - Hear the compelling tale of how Jack overcame industry resistance, with some even suggesting criminal negligence, to establish a new paradigm in risk assessment now embodied in the FAIR Institute and the Open FAIR standard.
3. Risk Beyond Cybersecurity - Learn how the versatile FAIR model transcends cybersecurity, influencing financial product design, operational risk measurement and even natural disaster assessments - a testimony to its adaptability and Jack's vision for its future potential.
For cybersecurity professionals eager to stay ahead of the curve and to refine their approach to risk management, this episode is not to be missed. Join us on Razorwire to hear the insights and backstories directly from the experts shaping the field.
“I did get some positive reactions from people in the industry, but I also got an email from someone in the industry … with a significant following and they wrote me a letter saying that I should be prosecuted for criminal negligence for having published this, that in his view, the word risk should be stricken from the English language.”
- Jack Jones
Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen
In this episode, we covered the following topics:
- Fair Risk Methodology Overview: A novel approach to risk assessment that simplifies risk management by addressing subjective probability factors and incorporating control efficacy.
- Development and Inspiration: The origins of the methodology and how inspiration from physics led to a new model for measuring control effectiveness in risk management.
- Industry Reaction and Growth: An exploration of the initial pushback against the methodology, followed by its adoption by the Open Group and the subsequent rapid expansion globally.
- Founding of the FAIR Institute: The establishment of a dedicated institute to provide resources and community engagement around the FAIR methodology.
- Advancement through Collaboration: How input from various industry professionals has contributed to the enhancement of the FAIR model, exemplified by the new materiality assessment.
- Communication and Misunderstandings: The challenges faced in conveying the principles of FAIR, leading to some recommendations to alter the model and the need for clearer communication.
- Widespread Adoption and Consistency: The pride in the widespread application of the FAIR methodology across different business domains and its consistent framework over time.
- Future Expansions and Applications: The anticipation of new additions to the FAIR model and its application beyond security, including financial, operational and natural disaster risk assessments.
- Automation in Risk Quantification: The evolving trend towards using technology such as AI to automate cyber risk quantification for timelier and mainstream industry applications.
- Resources and Further Engagement: Information on resources for learning more about the FAIR methodology, upcoming publications and ways to connect with thought leaders in the field.
Guest Bio
Jack Jones
Chairman Emeritus of the FAIR Institute
Jack has worked in information security for over 35 years, 10 years of which as a CISO with three different companies, including a Fortune 100 company. His work was recognised in 2006 with the ISSA Excellence in the Field of Security Practices. Jack has received the CSO Compass award for risk management leadership and also had the privilege of participating in the ISACA task force that created the original RiskIT framework and led the development of ISACA’s CRISC certification programme. An adjunct instructor at Carnegie Mellon University, he teaches in the CISO executive programme. Jack also
created the Factor Analysis of Information Risk (FAIR) and FAIR-CAM models which have been adopted as international standards for measuring risk. In 2015, he co-authored a book on FAIR entitled Measuring and Managing Information Risk, a FAIR Approach, which was inducted into the Cyber
Security Canon in 2016.
Resources Mentioned
- Jim's recently released book, "The Cyber Sentinels Handbook"
- FAIR controls analytics model (Faircam)
Other episodes you'll enjoy
Cybersecurity in 2024: Expert Predictions You Need to Know
https://www.razorthorn.com/cybersecurity-in-2024-expert-predictions-you-need-to-know/
The Rise of Cyber Mercenaries: Governments’ Secret Weapons in Cyber Warfare
Connect with your host James Rees
Hello, I am James Rees, the host of the Razorwire podcast. This podcast brings you insights from leading cyber security professionals who dedicate their careers to making a hacker’s life that much more difficult.
Our guests bring you experience and expertise from a range of disciplines and from different career stages. We give you various viewpoints for improving your cyber security – from seasoned professionals with years of experience, triumphs and lessons learned under their belt, to those in relatively early stages of their careers offering fresh eyes and new insights.
With new episodes every other Wednesday, Razorwire is a podcast for cyber security enthusiasts and professionals providing insights, news and fresh ideas on protecting your organisation from hackers.
For more information about us or if you have any questions you would like us to discuss email podcast@razorthorn.com.
If you need consultation, visit www.razorthorn.com, We give our clients a personalised, integrated approach to information security, driven by our belief in quality and discretion.
Linkedin: Razorthorn Security
Youtube: Razorthorn Security
Twitter: @RazorThornLTD
Loved this episode? Leave us a review and rating here
All rights reserved. © Razorthorn Security LTD 2024
This podcast uses the following third-party services for analysis:
OP3 - https://op3.dev/privacy
Transcript
Hello and welcome to another edition of Razor Wire. And today we are going to be discussing the fair risk methodology, what it is, how it began, where it's come from, how it's changed, and what we're looking at for kind of like future iterations of that particular methodology for risk. I personally think it's one of the best methodologies within infosec that you can feasibly adopt. So today we're going to be chatting with the person who created it, a personal hero of mine and a legend in the community, Jack Jones. Welcome to the Razor Wire podcast, where we discuss all things in the information security and cybersecurity world, from current events and trends through to commentary from experts in the field, providing vital advisory on what it is to work in the information security and cybersecurity space. And to discuss this subject matter today I have the legendary he's a legend for me anyway, Jack Jones, who created the fair risk methodology. But I won't introduce him. I'm going to let him do that.
Jim [:Jack Jones, would you like to introduce yourself to our audience?
Jack Jones [:Sure. Thank you, first of all, for having me here. Yeah. I've been in technology since the early eighty s and information security since the late 80s, when viruses first raised their ugly little heads in the world and began in a very technical role. I mean, my first security responsibilities was managing the virus challenge in a banking environment. And my hobby became disassembling viruses and understanding them at the assembly language level to learn how they worked and that sort of thing. And I wrote a virus again to understand them more effectively. Never released.
Jack Jones [:It didn't have a destructive payload, but it was an opportunity to learn by doing. Then went into intelligence services for the United States government, where I was again in a technical role dealing with security related things, and then came out of that and did attack and penetration work and managed security for another bank, then ended up in 2000 working for nationwide insurance as head of security architecture. And shortly after I began, the CISO left, and I was tagged as temporary CISO when I was temporary CISO for six years there. And that's where I first sort of encountered the whole risk beast in any meaningful way, because as a new CISO, of course, the first thing you typically have to do is put together a strategy and then go beg for money and resources and support. And so I put together my strategy and I went on my dog and pony show to the executives, and one of them stopped me in the midst of my presentation and said, so tell me, Jack, how much risk do we have? And I was there to talk about threats and vulnerabilities, but you wanted to know about risk. And I shrugged and I said, well, lots. And he said, if we spend these millions of dollars you're asking for, how much less risk will we have? And I said, and I knew I was in trouble. Then I sort of hung my head and said, well, we'll have less risk.
Jack Jones [:And he knew he wasn't going to get a better answer than that. It was a teaching moment. He was telling me that unless I could speak in these terms, I was just very expensive noise as far as he was concerned. And I took the lesson to heart and I thought, okay, this must have been a problem that's been solved by someone. And I just slept through that class or something. So I spent about a year researching all the different risk measurement practices at the time, most of which fundamentally haven't changed in the 20 od years since. And none of them enabled me to answer those questions in any sort of reasonable or defensible fashion. So being a curious and persistent kind of person, I set about trying to figure it out and began developing what turned out to be fair and applying it there nationwide and whatnot.
Jack Jones [:So I applied it there to very good effect, and we can get into some of the benefits later on in our conversation, but went on from there to BCI, so to other organizations, and to co found a startup, provided a platform for measuring risk quantitatively using fair. Just recently semi retired from that startup world.
Jim [:Fantastic. It's a very similar route to the one that I actually took again back in that kind of time period. A lot of infosec people got in through the IT space and like yourself, weirdly enough, I cut my teeth with the AV problem back then, the I love you virus and so on and so forth. My first kind of couple of roles, real roles in Infosec, were in reinsurance firms, kind of insurance firms, reinsurance firms, that kind of thing. I had very similar problems when communicating to the powers of the be. Trying to get money at that time period for information security certainly was a challenge, and I think everybody I've spoken to was in that time period, and even beforehand all have said the same thing as like, yeah, trying to get the security thing dealt with before an event would occur was really difficult. More often than not, it took an event that scared people enough to think, actually, what are we doing about this? And I remember I was working for the reinsurance firm at the time, or a reinsurance firm at the time, and I was racking my brains about how to communicate risk. And I was working in the reinsurance industry, and although I specialized in it and information security at the time, I started thinking insurance people know more about risk than anybody.
Jim [:They've been doing it since day Dot. What do they do? And I started looking online, and it was a very early time period. I don't think we even had Google at that point, or if we did, it was really early. And I came across your initial kind of paper on fair, and I read through it, and that light bulb moment for me was just like, wow, okay, this looks good. And this looks like something I can definitely put into an insurance or reinsurance firm because it's speaking their own kind of language. Because the model that was being used was very similar to what I was hearing from the actuaries. And one of the first roles that I had was for an american company. And they liked to do the whole kind of understand your work colleagues work kind of thing.
Jim [:So there I was, a very young it guy at the time, specializing in security, but I wasn't in that space fully at that point. And I sat in an office with a group of other IT guys and an actuary, who then proceeded to show us on a whiteboard how he calculates. I think it was marine risk. And I think I lost where I was within about 2 seconds of him starting to put the figures on the board and the probability factors and how they look at over 1000 year modelings. And I'm like, oh my God. He's using all the terms on a calculator that I've never used. And by the end of it, I felt like my brain was on fire and had to have some serious thoughts. But with your methodology, obviously, you kind of briefly mentioned kind of why you did it.
Jim [:What were the key factors in you developing it when you were kind of looking at it, thinking, right, what is it that I need to be able to communicate? What is it I need to be able to understand for myself, but also be able to work out in a way that the business will look at it and go, you've got a good point there.
Jack Jones [:Well, there were a number of key factors or criteria, I guess, that I had in my mind in creating this. First of all, it couldn't be rocket science. It had to straddle that line between where the actuaries like to operate, sometimes based on the data they have and the models that have been developed in their space and that sort of thing they can play there. But we certainly didn't have that even now, really, for cybersecurity. So it had to be a model that allowed us to apply quantitative methods in a defensible manner. There also had to be accessible by the people who, of course, had to use it. But we needed to be able to show our homework to the executives, too. So when we would be faced with some decision, business decision related to cybersecurity, we needed to provide recommendations regarding controls or that sort of thing, or prioritizing risk issues.
Jack Jones [:As you undoubtedly recall, and you kind of alluded to it, security was not always top of mind for the business in it back in the day. And so what they were used to was security sort of being an obstacle. The explanation for our position was always, well, trust us, we're the experts, and this is really dangerous and you shouldn't be doing it, and that sort of thing. It was apparent to me that we needed to strike a different tone and be able to operate differently and again, show our homework. So if we were going to come to conclusions and provide recommendations, we needed to be able to explain and defend those. And the basis for fair, and sort of the criteria I set for myself was it had to be accessible to the security professionals who would be using it, but also be at a level that they could explain it to their constituents and their executive stakeholders in a way that would sort of bridge the knowledge gap. Right. And allow us to explain sometimes very technical security concerns to a very nontechnical audience in terms that they understood.
Jack Jones [:So that was the goal. And I think, by and large, I met those criteria. And fair has been pretty effective in those ways.
Jim [:You certainly did. One of the biggest problems I had in early kind of risk management before I kind of adopted fair myself as my personal go to way of handling risk, was probability factors, and that was always a problem. What's probable for me will be different for you, it'll be different for Phil over there, it'll be different for David, and it's very perspective driven. But when I got hold of the fair methodology and saw how you handled it, it was so much easier for them, not only for myself, but for a lot of other people to understand. I always found it very difficult to assign, like a percentile probability factor to something that if it hasn't happened, talking about something that you've got very limited data for. Because I think part of the big thing about insurance is obviously they've got lots and lots of data sets they can use data models and so on and so forth. And we at the time, especially at the time, maybe different slightly now, had comparatively hardly any data to go by. So the way that you handled and some of the items within fair really worked back then and work so very well now.
Jim [:The fact that you don't deal with kind of like round probability factors, it's based off how many events within a time period. Absolutely fantastic. And your control strengths as well, because that was something I never used to see. In some of the original kind of risk stuff, you take into account the countermeasures you currently have in place and your capabilities currently in place, as well as who are we being attacked by? What's their capabilities? How did you kind of come to those particular items as being quite important within that calculation? Was it something more for us infosec people? Or was it actually, this is helping communicate to the C suite or the board or the powers that be why we're coming to that deliberation?
Jack Jones [:The approach to factoring in controls was drawn from. I mean, the inspiration for it was really just sort of thinking through physics, if you will, or physical environment. So I remember one of the inspirations for me was the whole rating scale for tornado strength, right, for wind speeds above this level and that sort of thing, and then structural requirements for buildings and getting certain forces that might be applied to them from wind and whatnot. And so I thought, well, if it works in the physical world, can we apply it in our problem of space, too? And it's more problematic. It's challenging, because in our world, these aren't physical forces in most cases. So the measurements are more abstract. And for some people, very challenging to sort of wrap their heads around. A lot of people grock it pretty readily and can apply it.
Jack Jones [:I don't think I've ever run into anybody who's entirely satisfied with that approach, as useful as it is, because these are abstract measurements, I think most people are just like, okay, well, this is the best approach we've encountered, but there's room for improvement. And the good news is, and I don't know that we'll spend any time with this in our session today. We certainly can, if you're interested. But the new controls analytics model that I've published on, there's actually a new way to analyze control efficacy that can be measured empirically, I think. I haven't, unfortunately, had a chance to publish on that yet. There will be a white paper coming out very shortly that begins to introduce this, but I think it will represent a significant improvement over even what we've been doing with fair for years now.
Jim [:Yeah, because I noticed you've recently, August 15, there was an introduction of the fair man which is the material assessment model. So you're obviously sort of like, looking back at the kind of initial model and expanding upon it in ways that look absolutely amazing. But, I mean, were you quite surprised when you first released how popular it became? Because it became really popular over in the states for a lot longer before it really kind of came over here in the UK. What did that feel like, and how did that happen?
Jack Jones [:First of all, I'll say that as I developed fair, when I encountered sort of conceptual challenges, because my own limitations quantitatively or in dealing with risk in a formal sense, I had at my disposal the senior vice presidents of the actuarial departments at nationwide, and I had a great relationship with those two executives, and I would go to them with my concerns. Like, for example, I struggled at first, differentiating possibility from probability, and I struggled with subjectivity and measurements and those sorts of things. And I would go to these very experienced executives and share my concerns, and they would help me reason through them and assure me that I was on solid footing and that sort of thing. So because of my ability to use them as a sounding board, I was confident that the approach was fundamentally sound. But I also had the opportunity then, as CISO, to train my staff or people in my organization on fair and begin to sort of apply it and learn through that application of it, refine it and refine how I communicated about it and that sort of thing. So I actually had, before I published that first paper, I had three plus years of experience in developing and applying this and evolving my own understanding of it. So that first paper, was I a little nervous? Yes, because that was my first white paper, but I'd also had an opportunity to present on fair at a couple of conferences before I'd written the white paper to get sort of an external perspective, because as a CISO in an organization, the people who work for you are probably not going to tell you you're as stupid as you might be in some cases. Getting this external feedback was important.
Jack Jones [:So I presented these conferences and got very positive reactions to it. And so, yes, I was nervous, but I didn't lose sleep over it.
Jim [:And what about the reception as well? Was it like a big sudden blow up because you build an entire foundation, an institute out of it as well? Because you kind of, kind of go over that journey from releasing it, and all of a sudden, boom, you've got a nonprofit institute, and so on and so forth.
Jack Jones [:The time span between the initial white paper and the creation of the fair institute was almost ten years before. Between those two things, but there were sort of some key steps in between that are noteworthy, I think. But before we get into that, regarding sort of the response I got, I did get some positive reactions from people in the industry, but I also got an email from someone in the industry who I won't name because they're no longer with us and they're not in a position to sort of explain or defend what they did. But this was a person with significant following, and they wrote me a letter saying that I should be prosecuted for criminal negligence for having published this, that in his view, the word risk should be stricken from the english language. And frankly, in a further dialogue with him, he explained that his view what the world should do is simply follow his instruction with regard to security.
Jim [:Wow.
Jack Jones [:It was a bit of a shock to be told that I should be prosecuted for criminal negligence for publishing my white paper. So it was not all sunshine and roses with regard to the reactions. And there were other people who, and there still are today. In fact, there are people with significant voices in the industry who absolutely hate fair and the whole idea of cyber risk quantification. And they continue to act as sort of obstacles to adoption and evolution in our profession in this direction. So professions evolve slowly, and one quote that strikes a chord, and hopefully it really doesn't boil down quite to this, but the physicist Max Planck once said that science evolves one funeral at a time, as the old guard dies off and the new guard takes over. That's when advancements can take hold. And there's some truth in that in this, too.
Jack Jones [:I think a lot of the negativity around cyber quantification and fair comes from people who grew up in the profession believing that cyber quantification could not be done. It was just an absolute impossibility. They're invested in that belief and opinion and quick to let go of it. Of course, we all tend to be invested in things that the beliefs we've held for a long time and that sort of thing. So after that release, within, gosh, two years, I think I got a call from the folks at the open group, if you're familiar with them, as a standards consortium, and they had read the white paper and wanted to discuss adopting it as a standard, as an open group standard. And so we had a number of conversations over several years about that and sort of worked through that, and they ended up adopting it as the open fair standard and having a professional certification around it and that sort of thing. So that was a really good first step towards sort of formalizing it in the eyes and making it acceptable, if you will, or meaningful in the eyes of many people in the profession when something is sort of an accepted standard in that manner. The nature of the opening group, and this is not a criticism, it's just the nature of these kinds of organizations.
Jack Jones [:The formality around them imposes sort of constraints in terms of how the things they adopt can evolve, and they're volunteer, largely volunteer efforts and that sort of thing. So some real challenges there. And I was presenting at the RSA conference one year, and I had a really large audience for this particular presentation. And one of my colleagues came up to me afterwards, and he know, these people seem very interested in this topic. Where do they go for more? I said, you know, that's a great question. There really isn't anything other than the occasional white paper recording of a presentation. And he came up with the idea, this is Nick Sana. He came up with the idea of the Fair institute as a community driven, community focused organization to provide a network of resources, people and resources for those who are interested in sort of helping the profession evolve in this direction.
Jack Jones [:And we really had no idea what to expect in terms of what that would turn out like or whether it would fly at all. And now we have 15,000 members globally and local chapters in 20 some OD cities around the world. And so we began the fair institute in 2016. In 2019, it was named one of the three most important institutions in the profession for the last 30 years after only being in existence for three years. So that was a surprise, a very pleasant surprise, of course.
Jim [:Much nicer than the last surprise with.
Jack Jones [:A letter from much nicer than that. It's been a journey. The adoption has begun to grow dramatically, both in terms of sort of just organizations and people adopting it by simply leveraging the terminology and the principles and the model as a way to calibrate their mental models of risk and how they talk about risk and that sort of thing all the way, of course, to commercial platforms now that have baked fair in and help organizations sort of become efficient at its application.
Jim [:Yeah, I mean, I've noticed that it has taken a little while. And, I mean, I had a few conversations in the early days of, I mean, GRC has been around for a long time, but in the last couple of years, it's really blown up. And you started to see a number, I won't mention them, but a number of vendors coming up and with their platforms and so on and so forth. I've always sat down with them, and they've shown this to me and I'm like, okay, that's cool. Where's the fair standard here? Because obviously you've got your risk module. It's always modular, so they can charge more. It's like, well, where's the fair model? Recently, some of them have been saying, oh, it's here. But initially it was like, oh, well, yeah, we're going to implement that down the line.
Jim [:When the institute kind of kicked in and you started getting support and helping other sort of other people, having input into how it was going to evolve, was that a relief for you? Because, I mean, obviously you've been kind of running it with it yourself. And if you're going into a company and you're the only infosec person, you kind of sit there and everything rests on your shoulders. And you're like, right, when can I start recruiting staff? And eventually, once you've communicated your risk methodology to them on why you should have more staff, because you've got a lot of other concerns and you start getting them, things get a little bit easier. You've got more people to draw upon, young blood as well. I mean, this is one of the things that I've always said when I do my mentoring, you get kind of like the old school guys who are there, and every now and then you'll get some of them who say, oh, I know everything there is to know about this subject matter. And you're like, yeah, okay, but listen to some of the new guys coming in, because some of the new people actually may have ideas based off of what they're seeing now, because how things are back in 2000 are definitely not how things are now. The technology has changed. Business has changed, the way we consume assets and the whole kind of cloud environment.
Jim [:All of these changes in technology have dramatically changed the way that we look at things like risk. And was it really good to have that kind of other people having that.
Jack Jones [:Input in more perspectives are almost always better than a single perspective. And so having people to act as sounding boards or to offer their own recommendations for advancements. So, for example, Fairman, that new materiality assessment, I had zero to do with that. I had no input to that whatsoever. That was developed by someone else, Erica Eager, and she did an amazing job. So that's an example of advancement in sort of the space that didn't require. So that is, I think, a real benefit. And I'm thrilled to have more people involved now.
Jack Jones [:There are challenges that come with that, too, because, for example, over the years we've had, I don't know how many countless feels like people have said, well, you should change the model to this or you should add this or whatnot. And in the vast majority of those circumstances, their recommendation was actually demonstrated that they didn't understand the model or sort of the principles that underlie it, and their recommendation would have broken the model and not been an improvement. If anything, it would have been sort of degraded the model one form or another, but that's normal and natural and if anything, it just reflects that. I still had more to learn about communicating the principles and how the model worked so that people could avoid the misunderstanding behind those recommendations.
Jim [:Absolutely. I mean, you're always going to get that as well. Looking at the man as an example of kind of like how it's iterated and it's kind of changing the way that you maybe look at some of that lost magnitude stuff within fair, and it's really drilling down into, I mean, I haven't gone through the whole thing, but it's relatively recent, 2023 August. But it seems to be a really nice addition to that original kind of framework that you put in place. And the original framework is still pretty much the same as it was way back when. I know it's probably had a few refinements, obviously, looking at some of the documentation back then and kind of what you have on the website now, but it's still pretty much solidly the same kind of thing. And that must give you kind of measurable amounts of pride. Who adopts is obviously infosec.
Jim [:People adopt this, but I've always maintained this is also a model that other people can adopt within business as well. And some of my customers that I've introduced this to have preferred this over whatever standard that they've used before and then begun to adopt it in other areas. Have you had any kind of big surprises as to where it's been adopted? I mean, you must get some interesting feedback.
Jack Jones [:Yeah, we do, and it has been surprising in some cases. I mean, the good news is pretty early on I recognized that fair was agnostic and could be applied to any form of risk. And as it's evolved, some of the refinements have been aimed at making it a little easier for folks outside of security to adopt it and apply it. I've had one financial institution actually apply fair in designing a financial product, in helping them sort of set and measure various sort of thresholds for loans and that sort of thing. It was a big surprise because you tend to think of that part of banking as being pretty well nailed down from a risk perspective, but it was fun to see that used. I've seen a number of organizations use it for operational risk outside of cyber technology, for health and safety, and for physical security, for natural disasters and those sorts of things. The largest company in the world, Walmart, uses it in operational risk. They did at one point.
Jack Jones [:I haven't kept in touch with those folks recently, but they had a very progressive approach to the application of fair, which was fun to see. I've seen it used in military application, and there's a little known sort of dimension to fair. But you can actually, and I've had conversations with people in the intelligence community about this, that you can apply fair as an attacker to examine your target and sort of think about how to maximize risk for your target, that sort of thing. So there's that dimension too. And then you can also, as it turns out, instead of at the top of the model having the word risk, you can have opportunity or gain. And then loss of infrequency between becomes opportunity frequency, and loss of magnitude becomes gain magnitude, those sorts of things. With minor tweaks throughout the model. It now becomes a tool you can use for sales and marketing.
Jim [:I knew you could probably do it with things like sales and marketing and all the rest of it, because I looked at some of the, I've been dealing with the standard now for so long, you can actually see different applications for it. I never thought about as the attacker thing. That's really interesting. Makes me want to do a little exercise now and see what I can do, obviously legitimately. But just model an attack, because it's a great analysis model for pulling in information and being able to determine kind of a course of action. So why shouldn't it be able to be applied in a different way? So if any of you are listening out there, please, bad guys don't listen. This is our model, not your model.
Jack Jones [:I'm sure the bad guys don't listen. They're focused on their bad guy podcasts.
Jim [:Well, to be honest, I think this is where the changing face of information security is getting. It's interesting, but also quite frightening. We've had a lot of people on the podcast, we talk about threat intelligence, that kind of thing. It was the year 2000 y two k people worried about planes falling out the sky or a nuclear power station going into meltdown just because some digits went a little bit awry on a machine. And then after that it was viruses, the I love you virus. A lot of people watching this may not even remember that. And criminal gangs back then were not what they are now. Now we're seeing really dedicated people with, in essence, they operate similar to any organization.
Jim [:They have component parts. They get better support in some cases for their tooling than we do in the real world.
Jack Jones [:Many of them have more resources than control. I work at.
Jim [:Oh, yeah, absolutely. And of course there's more vested interest in them securing themselves because obviously they don't want to get caught. So it's definitely a changing world where becoming more important to use risk modeling to be able to determine where you need to go, what you need to do, where your weaknesses are, what's next for fair? I mean, we've talked about the history, we've talked about kind of the evolving model. Where are we going with it now? What's your kind of projections? Obviously, we've got, ma'am, you mentioned earlier on also that you've got something secret or an evolution in the wings. What are we looking at? How are you changing it?
Jack Jones [:The changes I'm really focused on is really around the controls analytics model, Faircam, that I published preliminary version of a couple of years ago that is continuing to evolve. And I'm currently in the midst of writing, co authoring the second edition of the fair book, and in that there will be a completely rewritten controls chapter. But right now, what I'm in the midst of is writing the chapter on automating cyber risk quantification organizations. Because as a user of fair, as good as it is, it takes time and resources to apply it. Right, to have the conversations and gather the data and that sort of thing. People like yourself and others who are, I would characterize as more forward thinking and sort of their approach to measurement, understanding of the problem space are fine with spending the time to understand it and apply it in that manner. It'll never become mainstream in the industry as long as it's primarily a manual process, and so it has to be automated. You won't, of course, be able to automate all of your analyses.
Jack Jones [:There are a lot of reasons for that, but just on the face of it, let's accept that I'm right about that, but we should be able to automate many of the scenarios that we care about and allow us to do more timely, almost real time sorts of updates to our understanding of the risk in our organizations and which changes are going to be most cost effective for us and those sorts of things. So that's really where it needs to go. Certainly there will be a role for AI in that, but the application of AI in that right now is problematic, primarily because there just isn't enough of the right kind of data to train it. That will change over time, but that's sort of the current state, but that's the future where we will be able to automate sort of the run of the mill analyses, the kinds of things that we face every day, and then that will leave us free to deal with the, I would argue, more interesting, perplexing risk challenges and apply our skills there, leveraging the automation to deal with the run of the mill.
Jim [:And I totally agree, and I think that's a brilliant direction to take. And you're absolutely right. Data in this space is really hard to come by. There's no data sharing. People don't really want to discuss amongst themselves, kind of like really what happened during incidents. There's marketing and PR involved with all of that. And what I like about the security community, and I'm talking at Cyber week actually in a few weeks time, is that we're really good at communicating with one another and relatively openly. I mean, you get a few interesting characters that, like the one who sent you the letter, who quite frankly, should probably consider their sims and go through their own bins.
Jim [:We're pretty good at it. Whenever you're looking at risk management, like those insurance people, they need a data set to go back on and automating some of that data collection, automating some of that analysis utilizing current tool sets. I mean, crypt, you go back sort of like what, 20 od years? We were doing this on excel spreadsheets if we were lucky. Now we have the ability to utilize technology to make our jobs easier and allow us to refine our risk determinations based off of much bigger sets. Because you've been a CISO, you've been in the infosecs thing. You know what it's like to sort of try to figure out what happened in an event log set from a firewall where you basically, I mean, if it was a physical set of logs that was put on your desk, it would probably break the desk. And you've got to go through with your team and figure out exactly what happened and when. We've got a much better and richer set of tools than we ever have in the past.
Jim [:I mean, again, 20 years ago it was a bit of AV, and you were lucky if you had a decent firewall as well. Now we've got all kinds of technology which generates logs, which can allow automation and even AI. I mean, I'm very hesitant with the word AI because everybody uses, all the vendors are using it at the moment, but it is a good way of enriching kind of the information that we're getting so we can make better determinations and more accurate determinations as well. Because you're absolutely right. In any kind of profiling set, you initially do it and then you refine your set, and then you kind of find some other threats that may have pop up to various different assets and so on and so forth. And it takes time. It's not like you can do it for 20 minutes and boom, you know, all the risks to your environment and what the implications are. But no, I think that's great, and that's a great step forward.
Jim [:And I'm looking forward to seeing these additions to the standard. And I personally will continue to advocate this standard. And it's great to hear that it's being used in other places as well. It's quite interesting. That was one of the questions that I was asked to ask you, actually. Now. I mean, obviously we've reached the top end. Where can people find you? Do you want to kind of tell people out there where to get access to the first standard? Obviously you got a website, you got the institute and what have you.
Jim [:Do you just kind of want to tell people where they can find you?
Jack Jones [:Certainly. So I can be reached through, of course, LinkedIn, but also I have sort of in my semi retired mode, I've hung out my own shingle as Jack at RMI solutions so people can reach me there. I love to engage with people and answer questions. I encourage people to ping me if they have questions or feedback. I'm always looking for feedback. I am excited about what's coming, particularly with regard to the controls analytics because I think after the second edition of the Fairbook is finished, I'm under contract to write a book on the controls analytics model, Faircam. I honestly believe that that will have a more profound effect on our profession than even fair has. Maybe if there's interest, we can have a session on that.
Jim [:Absolutely. As I said at the beginning, you're a legend to me. You can come onto my podcast anytime you want. It's been fantastic learning a bit more about fair. If any of you out there want to learn more about fair, it's ww fairinstitute.org. Go over there, learn for yourself, obviously. Buy Jack's book or wait for the next edition. And please feel free to kind of communicate to us if there's anything in addition that you want us to kind of COVID over.
Jim [:Maybe if Jack's really nice, he'll come back and answer some of your questions. If you've got them anytime. Brilliant. Fantastic. So thank you ever so much. Jack. It's been fantastic. Jack, thank you ever so much for coming on the podcast.
Jack Jones [:Thanks for having me. It's been fun.
Jim [:Fantastic. And thank you for listening the latest edition of Razorwire. It's always good to get feedback. Please feel free to reach out to us. You can reach out to us via LinkedIn or through our website, ww razathorn.com. If you feel that there's something that we should cover, maybe a little bit more in depth, a new topic or something of interest to you or the community at large. Got any recommendations or you want us to interview people, we'll reach out to those individuals. So it'd be great to see what your feedback is.
Jim [:In addition, I do have a book recently come out, the cyber Sentinels Handbook, a primer for information security professionals. Now, this book is very much geared up towards professionals, all levels of their career, be they starters, be they newcomers, be they people have been in it for a little while and maybe looking for a little bit more direction, albeit the older ones looking to maybe reground themselves in some of the more important aspects of the trade that maybe they've forgotten over time. I've had lots of good feedback from a lot of different readers of lots of different levels, so please feel free to get yourselves a copy. We've got the e copy. We've also got the paperback copy. And if you don't want to spend any money, you can go on kindle Unlimited and read the book for free there as well. Thank you ever so much again. Look after yourselves and we'll be seeing you again soon.