Transcript of a BriefingsDirect podcast on the threats from and promise of big data in securing enterprise information assets.

1. Open Group Panel Explores Changing Field of Risk
Management and Analysis in the Era of Big Data
Transcript of a BriefingsDirect podcast on the threats from and promise of big data in securing
enterprise information assets.
Listen to the podcast. Find it on iTunes. Sponsor: The Open Group
Dana Gardner: Hello, and welcome to a special BriefingsDirect thought leadership interview
series coming to you in conjunction with The Open Group Conference on
January 28 in Newport Beach, California.
I'm Dana Gardner, Principal Analyst at Interarbor Solutions, and I'll be your
host and moderator throughout these business transformation discussions. The
conference itself is focusing on big data the transformation we need to embrace
today.
We're here now with a panel of experts to explore new trends and solutions in the area of risk
management and analysis. We'll learn how large enterprises are delivering risk assessments and
risk analysis, and we'll see how big data can be both an area to protect from in form of risks, but
also as a tool for better understanding and mitigating risks.
With that, please join me in welcoming our panel. We're here with Jack Freund, PhD, the
Information Security Risk Assessment Manager at TIAA-CREF. Welcome, Jack.
Jack Freund: Hello Dana, how are you?
Gardner: I'm great. Glad you could join us.
We are also here with Jack Jones, Principal of CXOWARE. He has
more than nine years experience as a Chief Information Security
Officer, is the inventor of the Factor Analysis Information Risk (FAIR)
framework. Welcome, Jack.
Jack Jones: Thank you.
And we're also here with Jim Hietala, Vice President, Security for The Open Group. Welcome,
Jim.
Jim Hietala: Thanks, Dana.
Gardner: All right, let’s start out with looking at this from a position of trends. Why is the issue
of risk analysis so prominent now? What's different from, say, five years ago? And we'll start
with you, Jack Jones.

2. Jones: The information security industry has struggled with getting the attention of and support
from management and businesses for a long time, and it has finally come around to the fact that
the executives care about loss exposure -- the likelihood of bad things happening and how bad
those things are likely to be.
It's only when we speak of those terms or those issues in terms of risk, that we make sense to
those executives. And once we do that, we begin to gain some credibility and traction in terms of
getting things done.
Gardner: So we really need to talk about this in the terms that a business executive would
appreciate, not necessarily an IT executive.
Effects on business
Jones: Absolutely. They're tired of hearing about vulnerabilities, hackers, and that sort of thing.
It’s only when we can talk in terms of the effect on the business that it makes sense to them.
Gardner: Jack Freund, I should also point out that you have more than 14 years in enterprise IT
experience. You're a visiting professor at DeVry University and you chair a risk-management
subcommittee for ISACA? Is that correct?
Freund: ISACA, yes.
Gardner: And do you agree?
Freund: The problem that we have as a profession, and I think it’s a big problem, is that we have
allowed ourselves to escape the natural trend that the other IT professionals have
already taken.
There was a time, years ago, when you could code in the basement, and nobody
cared much about what you were doing. But now, largely speaking, developers
and systems administrators are very focused on meeting the goals of the
organization.
Security has been allowed to miss that boat a little. We have been allowed to hide
behind this aura of a protector and of an alerter of terrible things that could happen, without
really tying ourselves to the problem that the organizations are facing and how can we help them
succeed in what they're doing.
Gardner: Jim Hietala, how do you see things that are different now than a few years ago when it
comes to risk assessment?

3. Hietala: There are certainly changes on the threat side of the landscape. Five years ago, you
didn’t really have hacktivism or this notion of an advanced persistent threat (APT).
That highly skilled attacker taking aim at governments and large organizations
didn’t really exist -– or didn’t exist to the degree it does today. So that has
changed.
You also have big changes to the IT platform landscape, all of which bring new
risks that organizations need to really think about. The mobility trend, the cloud
trend, the big-data trend that we are talking about today, all of those things bring
new risk to the organization.
As Jack Jones mentioned, business executives don't want to hear about, "I've got 15
vulnerabilities in the mobility part of my organization." They want to understand what’s the risk
of bad things happening because of mobility, what we're doing about it, and what’s happening to
risk over time?
So it’s a combination of changes in the threats and attackers, as well as just changes to the IT
landscape, that we have to take a different look at how we measure and present risk to the
business.
Gardner: Because we're at a big-data conference, do you share my perception, Jack Jones, that
big data can be a source of risk and vulnerability, but also the analytics and the business
intelligence (BI) tools that we're employing with big data can be used to alert you to risks or
provide a strong tool for better understanding your true risk setting or environment.
Crown jewels
Jones: You are absolutely right. You think of big data and, by definition, it’s where your crown
jewels, and everything that leads to crown jewels from an information
perspective, are going to be found. It's like one-stop shopping for the bad guy, if
you want to look at it in that context. It definitely needs to be protected. The
architecture surrounding it and its integration across a lot of different platforms
and such, can be leveraged and probably result in a complex landscape to try
and secure.
There are a lot of ways into that data and such, but at least if you can leverage
that same big data architecture, it's an approach to information security. With log data and other
threat and vulnerability data and such, you should be able to make some significant gains in
terms of how well-informed your analyses and your decisions are, based on that data.
Gardner: Jack Freund, do you share that? How does big data fit into your understanding of the
evolving arena of risk assessment and analysis?

4. Freund: If we fast-forward it five years, and this is even true today, a lot of people on the cutting
edge of big data will tell you the problem isn’t so much building everything together and figuring
out what it can do. They are going to tell you that the problem is what we do once we figure out
everything that we have. This is the problem that we have traditionally had on a much smaller
scale in information security. When everything is important, nothing is important.
Gardner: To follow up on that, where do you see the gaps in risk analysis in large
organizations? In other words, what parts of organizations aren’t being assessed for risk and
should be?
Freund: The big problem that exist largely today in the way that risk assessments are done, is
the focus on labels. We want to quickly address the low, medium, and high things and know
where they are. But the problem is that there are inherent problems in the way that we think
about those labels, without doing any of the analysis legwork.
I think that’s what’s really missing is that true analysis. If the system goes offline, do we lose
money? If the system becomes compromised, what are the cost-accounting things that will
happen that allow us to figure out how much money we're going to lose.
That analysis work is largely missing. That’s the gap. The gap is if the control is not in place,
then there’s a risk that must be addressed in some fashion. So we end up with these very long
lists of horrible, terrible things that can be done to us in all sorts of different ways, without any
relevance to the overall business of the organization.
Every day, our organizations are out there selling products, offering services, which is and of
itself, its own risky venture. So tying what we do from an information security perspective to that
is critical for not just the success of the organization, but the success of our profession.
Gardner: So we can safely say that large companies are probably pretty good at a cost-benefit
analysis or they wouldn't be successful. Now, I guess we need to ask them to take that a step
further and do a cost-risk analysis, but in business terms, being mindful that their IT systems
might be a much larger part of that than they had at once considered. Is that fair, Jack?
Risk implications
Jones: Businesses have been making these decisions, chasing the opportunity, but generally,
without any clear understanding of the risk implications, at least from the information security
perspective. They will have us in the corner screaming and throwing red flags in there, and
talking about vulnerabilities and threats from one thing or another.
But, we come to the table with red, yellow, and green indicators, and on the other side of the
table, they’ve got numbers. Well, here is what we expect to earn in revenue from this initiative,
and the information security people are saying it’s crazy. How do you normalize the quantitative
revenue gain versus red, yellow, and green?

5. Gardner: Jim Hietala, do you see it in the same red, yellow, green or are there some other
frameworks or standard methodologies that The Open Group is looking at to make this a bit
more of a science?
Hietala: Probably four years ago, we published what we call the Risk Taxonomy Standard which
is based upon FAIR, the management framework that Jack Jones invented. So, we’re big
believers in bringing that level of precision to doing risk analysis. Having just gone through
training for FAIR myself, as part of the standards effort that we’re doing around certification, I
can say that it really brings a level of precision and a depth of analysis to risk analysis that's been
lacking frequently in IT security and risk management.
Gardner: We’ve talked about how organizations need to be mindful that their risks are higher
and different than in the past and we’ve talked about how standardization and methodologies are
important, helping them better understand this from a business perspective, instead of just a
technology perspective.
But, I'm curious about a cultural and organizational perspective. Whose job should this fall
under? Who is wearing the white hat in the company and can rally the forces of good and make
all the bad things managed? Is this a single person, a cultural, an organizational mission? How do
you make this work in the enterprise in a real-world way? Let's go to you, Jack Freund.
Freund: The profession of IT risk management is changing. That profession will have to sit
between the business and information security inclusive of all the other IT functions that make
that happen.
In order to be successful sitting between these two groups, you have to be able to speak the
language of both of those groups. You have to be able to understand profit and loss and capital
expenditure on the business side. On the IT risk side, you have to be technical enough to do all
those sorts of things.
But I think the sum total of those two things is probably only about 50 percent of the job of IT
risk management today. The other 50 percent is communication. Finding ways to translate that
language and to understand the needs and concerns of each side of that relationship is really the
job of IT risk management.
To answer your question, I think it’s absolutely the job of IT risk management to do that. From
my own experiences with the FAIR framework, I can say that using FAIR is the Rosetta Stone
for speaking between those two groups.
Necessary tools
It gives you the tools necessary to speak in the insurance and risk terms that business
appreciate. And it gives you the ability to be as technical and just nerdy, if you will, as you need

6. to be in order to talk to IT security and the other IT functions in order to make sure everybody is
on the same page and everyone feels like their concerns are represented in the risk-assessment
functions that are happening.
Gardner: Jack Jones, can you add to that?
Jones: I agree with what Jack said wholeheartedly. I would add, though, that integration or
adoption of something like this is a lot easier the higher up in the organization you go.
For CFOs traditionally, their neck is most clearly on the line for risk-related issues within most
organizations. At least in my experience, if you get their ear on this and present the information
security data analyses to them, they jump on board, they drive it through the organization, and
it's just brain-dead easy.
If you try to drive it up through the ranks, maybe you get an enthusiastic supporter in the
information security organization, especially if it's below the CISO level, and they try a
grassroots sort of effort to bring it in, it's a tougher thing. It can still work. I've seen it work very
well, but, it's a longer row to hoe.
Gardner: There have been a lot of research, studies, and surveys on data breaches. What are
some of the best sources, or maybe not so good sources, for actually measuring this? How do
you know if you’re doing it right? How do you know if you're moving from yellow to green,
instead of to red? To you, Jack Freund.
Freund: There are a couple of things in that question. The first is there's this inherent assumption
in a lot of organizations that we need to move from yellow to green, and that may not be the
case. So, becoming very knowledgeable about the risk posture and the risk tolerance of the
organization is a key.
That's part of the official mindset of IT security. When you graduate an information security
person today, they are minted knowing that there are a lot of bad things out there, and their goal
in life is to reduce them. But, that may not be the case. The case may very well be that things are
okay now, but we have bigger things to fry over here that we’re going to focus on. So, that's one
thing.
The second thing, and it's a very good question, is how we know that we’re getting better? How
do we trend that over time? Overall, measuring that value for the organization has to be able to
show a reduction of a risk or at least reduction of risk to the risk-tolerance levels of the
organization.
Calculating and understanding that requires something that I always phrase as we have to
become comfortable with uncertainty. When you are talking about risk in general, you're talking
about forward-looking statements about things that may or may not happen. So, becoming
comfortable with the fact that they may or may not happen means that when you measure them
today, you have to be willing to be a little bit squishy in how you’re representing that.

7. In FAIR and in other academic works, they talk about using ranges to do that. So, things like
high, medium ,and low, could be represented in terms of a minimum, maximum, and most likely.
And that tends to be very, very effective. People can respond to that fairly well.
Gathering data
Jones: With regard to the data sources, there are a lot of people out there doing these sorts of
studies, gathering data. The problem that's hamstringing that effort is the lack of a common set of
definitions, nomenclature, and even taxonomy around the problem itself.
You will have one study that will have defined threat, vulnerability, or whatever differently from
some other study, and so the data can't be normalized. It really harms the utility of it. I see data
out there and I think, "That looks like that can be really useful." But, I hesitate to use it because I
don't understand. They don't publish their definitions, approach, and how they went after it.
There's just so much superficial thinking in the profession on this that we now have dug under
the covers. Too often, I run into stuff that just can't be defended. It doesn’t make sense, and
therefore the data can't be used. It's an unfortunate situation.
I do think we’re heading in a positive direction. FAIR can provide a normalizing structure for
that sort of thing. The VERIS framework, which by the way, is also derived in part from FAIR,
also has gained real attraction in terms of the quality of the research they have done and the data
they’re generating. We’re headed in the right direction, but we’ve got a long way to go.
Gardner: Jim Hietala, we’re seemingly looking at this on a company-by-company basis. But, is
there a vertical industry slice or industry-wide slice where we could look at what's happening to
everyone and put some standard understanding, or measurement around what's going on in the
overall market, maybe by region, maybe by country?
Hietala: There are some industry-specific initiatives and what's really needed, as Jack Jones
mentioned, are common definitions for things like breach, exposure, loss, all those, so that the
data sources from one organization can be used in another, and so forth. I think about the
financial services industry. I know that there is some information sharing through an organization
called the FS-ISAC about what's happening to financial services organizations in terms of
attacks, loss, and those sorts of things.
There's an opportunity for that on a vertical-by-vertical basis. But, like Jack said, there is a long
way to go on that. In some industries, healthcare for instance, you are so far from that, it's
ridiculous. In the US here, the HIPAA security rule says you must do a risk assessment. So,
hospitals have done annual risk assessments, will stick the binder on the shelf, and they don't
think much about information security in between those annual risk assessments. That's a
generalization, but various industries are at different places on a continuum of maturity of their
risk management approaches.

8. Gardner: As we get better with having a common understanding of the terms and the
measurements and we share more data, let's go back to this notion of how to communicate this
effectively to those people that can use it and exercise change management as a result. That
could be the CFO, the CEO, what have you, depending on the organization.
Do you have any examples? Can we look to an organization that's done this right, and examine
their practices, the way they’ve communicated it, some of the tools they’ve used and say, "Aha,
they're headed in the right direction maybe we could follow a little bit." Let's start with you, Jack
Freund.
Freund: I have worked and consulted for various organizations that have done risk management
at different levels. The ones that have embraced FAIR tend to be the ones that overall feel that
risk is an integral part of their business strategy. And I can give a couple of examples of
scenarios that have played out that I think have been successful in the way they have been
communicated.
Coming to terms
The key to keep in mind with this is that one of the really important things is that when you're a
security professional, you're again trained to feel like you need results. But, the results for the IT
risk management professional are different. The results are "I've communicated this effectively,
so I am done." And then whatever the results are, are the results that needed to be. And that's a
really hard thing to come to terms with.
I've been involved in large-scale efforts to assess risk for a cloud venture. We needed to move
virtually every confidential record that we have to the cloud in order to be competitive with the
rest of our industry. If our competitors are finding ways to utilize the cloud before us, we can lose
out. So, we need to find a way to do that, and to be secure and compliant with all the laws and
regulations and such.
Through that scenario, one of the things that came out was that key ownership became really,
really important. We had the opportunity to look at the various control structures and we
analyzed them using FAIR. What we ended up with was sort of a long-tail risk. Most people will
probably do their job right over a long enough period of time. But, over that same long period of
time, the odds of somebody making a mistake not in your favor are probably likely, but, not
significantly enough so that you can't make the move.
But, the problem became that the loss side, the side that typically gets ignored with traditional
risk-assessment methodologies, was so significant that the organization needed to make some
judgment around that, and they needed to have a sense of what we needed to do in order to
minimize that.

9. That became a big point of discussion for us and it drove the conversation away from bad things
could happen. We didn’t bury the lead. The lead was that this is the most important thing to this
organization in this particular scenario.
So, let's talk about things we can do. Are we comfortable with it? Do we need to make any sort
of changes? What are some control opportunities? How much do they cost? This is a
significantly more productive conversation than just, "Here is a bunch of bad things that happen.
I'm going to cross my arms and say no."
Gardner: Jack Jones, examples at work?
Jones: In an organization that I've been working with recently, their board of directors said they
wanted a quantitative view of information security risk. They just weren’t happy with the red,
yellow, green. So, they came to us, and there were really two things that drove them there. One
was that they were looking at cyber insurance. They wanted to know how much cyber insurance
they should take out, and how do you figure that out when you've got a red, yellow, green scale?
They were able to do a series of analyses on a population of the scenarios that they thought were
relevant in their world, get an aggregate view of their annualized loss exposure, and make a
better informed decision about that particular problem.
Gardner: I'm curious how prevalent cyber insurance is, and is that going to be a leveling effect
in the industry where people speak a common language the equivalent of actuarial tables, but for
security in enterprise and cyber security?
Jones: One would dream and hope, but at this point, what I've seen out there in terms of the
basis on which insurance companies are setting their premiums and such is essentially the same
old “risk assessment” stuff that the industry has been doing poorly for years. It's not based on
data or any real analysis per se, at least what I’ve run into. What they do is set their premiums
high to buffer themselves and typically cover as few things as possible. The question of how
much value it's providing the customers becomes a problem.
Looking to the future
Gardner: We’re coming up on our time limit. So, let's quickly look to the future. Is there such
thing as risk management as a service? Can we outsource this? Is there a way in which moving
more of IT into cloud or hybrid models would mitigate risk, because the cloud provider would
standardize? Then, many players in that environment, those who were buying those services,
would be under that same umbrella? Let's start with you Jim Hietala. What's the future of this
and what do the cloud trends bring to the table?
Hietala: I’d start with a maxim that comes out of the financial services industry, which is that
you can outsource the function, but you still own the risk. That's an unfortunate reality. You can

10. throw things out in the cloud, but it doesn’t absolve you from understanding your risk and then
doing things to manage it to transfer it if there's insurance or whatever the case may be.
That's just a reality. Organizations in the risky world we live in are going to have to get more
serious about doing effective risk analysis. From The Open Group standpoint, we see this as an
opportunity area.
As I mentioned, we’ve standardized the taxonomy piece of FAIR. And we really see an
opportunity around the profession going forward to help the risk-analysis community by further
standardizing FAIR and launching a certification program for a FAIR-certified risk analyst. That's
in demand from large organizations that are looking for evidence that people understand how to
apply FAIR and use it in doing risk analyses.
Gardner: Jack Freund, looking into your crystal ball, how do you see this discipline evolving?
Freund: I always try to consider things as they exist within other systems. Risk is a system of
systems. There are a series of pressures that are applied, and a series of levers that are thrown in
order to release that sort of pressure.
Risk will always be owned by the organization that is offering that service. If we decide at some
point that we can move to the cloud and all these other things, we need to look to the legal
system. There is a series of pressures that they are going to apply, and who is going to own that,
and how that plays itself out.
If we look to the Europeans and the way that they’re managing risk and compliance, they’re still
as strict as we in United States think that they may be about things, but there's still a lot of
leeway in a lot of the ways that laws are written. You’re still being asked to do things that are
reasonable. You’re still being asked to do things that are standard for your industry. But, we'd
still like the ability to know what that is, and I don't think that's going to go away anytime soon.
Judgment calls
We’re still going to have to make judgment calls. We’re still going to have to do 100 things
with a budget for 10 things. Whenever that happens, you have to make a judgment call. What's
the most important thing that I care about? And that's why risk management exists, because
there’s a certain series of things that we have to deal with. We don't have the resources to do
them all, and I don't think that's going to change over time. Regardless of whether the landscape
changes, that's the one that remains true.
Gardner: The last word to you, Jack Jones. It sounds as if we’re continuing down the path of
being mostly reactive. Is there anything you can see on the horizon that would perhaps tip the
scales, so that the risk management and analysis practitioners can really become proactive and
head things off before they become a big problem?

11. Jones: If we were to take a snapshot at any given point in time of an organization’s loss
exposure, how much risk they have right then, that's a lagging indicator of the decisions they’ve
made in the past, and their ability to execute against those decisions.
We can do some great root-cause analysis around that and ask how we got there. But, we can
also turn that coin around and ask how good we are at making well-informed decisions, and then
executing against them, the asking what that implies from a risk perspective downstream.
If we understand the relationship between our current state, and past and future states, we have
those linkages defined, especially, if we have an analytic framework underneath it. We can do
some marvelous what-if analysis.
What if this variable changed in our landscape? Let's run a few thousand Monte Carlo
simulations against that and see what comes up. What does that look like? Well, then let's change
this other variable and then see which combination of dials, when we turn them, make us most
robust to change in our landscape.
But again, we can't begin to get there, until we have this foundational set of definitions,
frameworks, and such to do that sort of analysis. That's what we’re doing with FAIR, but without
some sort of framework like that, there's no way you can get there.
Gardner: I am afraid we’ll have to leave it there. We’ve been talking with a panel of experts on
how new trends and solutions are emerging in the area of risk management and analysis. And
we’ve seen how new tools for communication and using big data to understand risks are also
being brought to the table.
This special BriefingsDirect discussion comes to you in conjunction with The Open Group
Conference in Newport Beach, California. I'd like to thank our panel: Jack Freund, PhD,
Information Security Risk Assessment Manager at TIAA-CREF. Thanks so much Jack.
Freund: Thank you, Dana.
Gardner: We’ve also been speaking with Jack Jones, Principal at CXOWARE.
Jones: Thank you. Thank you, pleasure to be here.
Gardner: And last, Jim Hietala, the Vice President for Security at The Open Group. Thanks.
Hietala: Thanks, Dana.
Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions; your host and
moderator through these thought leadership interviews. Thanks again for listening and come
back next time.
Listen to the podcast. Find it on iTunes. Sponsor: The Open Group

12. Transcript of a BriefingsDirect podcast on the threats from and promise of big data in securing
enterprise information assets. Copyright The Open Group and Interarbor Solutions, LLC,
2005-2013. All rights reserved.
You may also be interested in:
• The Open Group Keynoter Sees Big-Data Analytics Bolstering Quality, Manufacturing,
Processes
• The Open Group Trusted Technology Forum is Leading the Way to Securing GLobal IT
Supply Chains
• Corporate Data, Supply Chains Remain Vulnerable to Cyber Crime Attacks Says Open
Group Conference Speaker
• Open Group Conference Speakers Discuss the Cloud: Higher Risk or Better Security?
• Capgemini's CTO on Why Cloud Computing Exposes the Duality Between IT and
Business
• San Francisco Conference observations: Enterprise transformation, enterprise
architecture, SOA and a splash of cloud computing
• MIT's Ross on how enterprise architecture and IT more than ever lead to business
transformation