ICYMI: Concept Creep: Why Cyber Risk Problems Never Get Solved

I had a great time writing this post for the FAIR Institute. I was inspired by post-doc David Levari of the Harvard Business School’s article in The Conversation called Why Your Brain Never Runs out of Problems to Find. In it he talks about how our brains have a sliding scale of what “badness” is over time and how something will always occupy the spot of “badness” even when its not that big of a deal. In my write-up, I apply that to cybersecurity and include some pointers for FAIR practitioners.

You can read my latest FAIR Institute post here.

Using Risk to Justify Security Strategy and Spending

I wrote a piece for RiskLens* recently that talks about how to utilize FAIR for building and justifying an information security budget and strategic initiatives. Its an interesting problem space as there is a need to have the appropriate level of abstraction (program level versus technology level) but its also a very solvable problem to add risk reduction justification to these annual budgetary exercises.

Fun story: one time I did this exercise years ago, I actually rated one initiative as *increasing* risk. It started an interesting discussion but the lesson is that not everything will result in less risk to your organization. Budgeting is a complicated amalgam of math, politics, and priorities; be sure to bolster your budgeting process with some risk arguments.

Click here for the RiskLens article: How CISOs Use FAIR to Set Strategic Priorities for Spending

*I am a professional advisor for RiskLens

Joined RiskLens as Professional Advisor

I recently accepted a position with RiskLens as a professional advisor. I’m looking forward to working with Jack Jones again as well the great team they have assembled there. My immediate project there will be advising on the product roadmap and assist them with taking their amazing quantitative risk platform to the next level.

Official announcement here.