Transcript of a BriefingsDirect podcast about the how to achieve better risk management with better analysis of risk factors and presenting that in dollars-and-cents terms.

1. The Open Group July Conference Emphasizes Value of
Placing Structure and Agility Around Enterprise Risk
Reduction Efforts
Transcript of a BriefingsDirect podcast about the how to achieve better risk management with
better analysis of risk factors and presenting that in dollars-and-cents terms.
Listen to the podcast. Find it on iTunes. Sponsor: The Open Group
Dana Gardner: Hello, and welcome to a special BriefingsDirect Thought Leadership
Interview series, coming to you in conjunction with The Open Group Conference
on July 15, in Philadelphia.
I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host and
moderator throughout these discussions on enterprise transformation in the
finance, government, and healthcare sector.
We're here now with a panel of experts to explore new trends and solutions in the area of
anticipating risk and how to better manage organizations with that knowledge. We'll learn how
enterprises are better delivering risk assessment and, one hopes, defenses, in the current climate
of challenging cybersecurity. And we'll see how predicting risks and potential losses accurately,
is an essential ingredient in enterprise transformation.
With that, please join me in welcoming our panel, we're here with Jack Freund, the Information
Security Risk Assessment Manager at TIAA-CREF. Jack has spent over 14 years in enterprise IT,
is a visiting professor at DeVry University, and also chairs a Risk-Management Subcommittee
for the ISACA. Welcome back, Jack.
Jack Freund: Glad to be here, Dana. Thanks for having me.
Gardner: We're also here with Jack Jones. He is the Principal at CXOWARE, and he has more
than nine years of experience as a Chief Information Security Officer (CISO). He is also an
inventor of the FAIR, risk analysis framework. Welcome, Jack.
Jack Jones: Thank you very much.
Gardner: We're also here with Jim Hietala. He is the Vice President, Security, at The Open
Group. Welcome, Jim.
Jim Hietala: Thanks, Dana, good to be here.
Gardner: Let’s start with you, Jim. It’s been about six months since we spoke about these issues
around risk assessment and understanding risk accurately, and it’s hard to imagine things getting

2. any better in the last six months. There’s been a lot of news and interesting developments in the
cyber-security landscape.
So has this heightened interest? What are The Open Group and others are doing in this field of
risk assessment and accuracy and determining what your losses might be and how that can be a
useful tool?
Hietala:: I would say it has. Certainly, in the cybersecurity world in the past six or nine months,
we've seen more and more discussion of the threats that are out there. We’ve got
nation-state types of threats that are very concerning, very serious, and that
organizations have to consider.
With what’s happening, you've seen that the US Administration and President
Obama direct the National Institute of Standards and Technology (NIST) to
develop a new cybersecurity framework. Certainly on the government side of
things, there is an increased focus on what can we do to increase the level of cybersecurity
throughout the country in critical infrastructure. So my short answer would be yes, there is more
interest in coming up with ways to accurately measure and assess risk so that we can then deal
with it.
Perception shift
Gardner: Jack Jones, do you also see a maturity going on, or are we just hearing more in the
news and therefore there is a perception shift? How do you see things? How have things
changed, in your perception, over the last six to nine months?
Jones: I continue to see growth and maturity, especially in areas of understanding the
fundamental nature of risk and exploration of quantitative methods for it. A few
years ago, that would have seemed unrealistic at best, and outlandish at worst in
many people’s eyes. Now, they're beginning to recognize that it is not only
pragmatic, but necessary in order to get a handle on much of what we have to do
from a prioritization perspective.
Gardner: Jack Freund are you seeing an elevation in the attention being paid to
risk issues inside companies in larger organizations? Is this something that’s getting
the attention of all the people it should?
Freund: We're entering a phase where there is going to be increased regulatory oversight over
very nearly everything. When that happens, all eyes are going to turn to IT and IT risk
management functions to answer the question of whether we're handling the right things.
Without quantifying risk, you're going to have a very hard time saying to your board of directors
that you're handling the right things the way a reasonable company should.

3. As those regulators start to see and compare among other companies, they'll find that these
companies over here are doing risk quantification, and you're not. You're putting yourself at a
competitive disadvantage by not being able to provide those same sorts of services.
Gardner: So you're saying that the market itself hasn’t been enough to drive this, and that
regulation is required?
Freund: It’s probably a stronger driver than market forces at this point. The market is always
going to be able to help push that to a more prominent role, but especially in
information security. If you're not experiencing primary losses as a result of these
sorts of things, then you have to look to economic externalities, which are largely
put in play by regulatory forces here in the United States.
Jones: To support Jack’s statement that regulators are becoming more interested
in this too, just in the last 60 days, I've spent time training people at two
regulatory agencies on FAIR. So they're becoming more aware of these
quantitative methods, and their level of interest is rising.
Gardner: Jack Jones, this is probably a good time for us to explain a little bit more about FAIR.
For those listeners who might not be that familiar with it, please take a moment to give us the
high-level overview of what FAIR is.
Jones: Sure, just thumbnail sketch of it. It’s, first and foremost, a model for what risk is and how
it works. It’s a decomposition of the factors that make up risk. If you can measure or estimate the
value of those factors, you can derive risk quantitatively in dollars and cents.
Risk quantification
You see a lot of “risk quantification” based on ordinal scales -- 1, 2, 3, 4, 5 scales, that sort of
thing. But that’s actually not quantitative. If you dig into it, there's no way you could defend a
mathematical analysis based on those ordinal approaches. So FAIR is this model for risk that
enables true quantitative analysis in a very pragmatic way.
Gardner: FAIR stands for a Factor Analysis of Information Risk. Is
that correct?
Jones: That is correct.
Gardner: Jim Hietala, we also have in addition to a very interesting and dynamic cybersecurity
landscape a major trend getting traction in big data, cloud computing, and mobile. There's lots
going on in the IT world. Perhaps IT's very nature, the roles and responsibilities, are shifting. Is
doing risk assessment and management becoming part and parcel of core competency of IT, and
is that a fairly big departure from the past?

4. Hietala:: As to the first question, it's having to become kind of a standard practice within IT.
When you look at outsourcing your IT operations to a cloud-service provider, you have to
consider the security risks in that environment. What do they look like and how do we measure
them?
It's the same thing for things like mobile computing. You really have to look at the risks of folks
carrying tablets and smart phones, and understand the risks associated with those same things for
big data. For any of these large-scale changes to our IT infrastructure you’ve got to understand
what it means from a security and risk standpoint.
Gardner: Jack Freund or Jack Jones, any thoughts about the changing role of IT as a service and
service-level agreement brokering aspects of IT aligned with risk assessment?
Freund: I read an interesting article this morning around a school district that is doing
something they call bring your own technology (BYOT). For anybody who has been involved in
these sort of efforts in the corporate world that should sound very familiar. But I want to think
culturally around this. When you have students wondering how to do these sorts of things and
becoming accustomed to being able to bring current technology, oh my gosh. When they get to
the corporate world and start to work, they're going to expect the same sorts of levels of service.
To answer to your earlier question, absolutely. We have to find a way to embed risk assessment,
which is really just a way to inform decision making and how we adapt all of these technological
changes to increase market position and to make ourselves more competitive. That’s important.
Whether that’s an embedded function within IT or it’s an overarching function that exists across
multiple business units, there are different models that work for different size companies and
companies of different cultural types. But it has to be there. It’s absolutely critical.
Gardner: Jack Jones, how do you come down this role of IT shifting in the risk assessment
issues, something that’s their responsibility. Are they embracing that or maybe wishing it away?
Jones: It depends on whom you talk to. Some of them would certainly like to wish it away. I
don't think IT’s role in this idea for risk assessment and such has really changed. What is
changing is the level of visibility and interest within the organization, the business side of the
organization, in the IT risk position.
Board-level interest
Previously, they were more or less tucked away in a dark corner. People just threw money at it
and hoped bad things didn't happen. Now, you're getting a lot more board-level interest in IT
risk, and with that visibility comes a responsibility, but also a certain amount of danger. If they’re
doing it really badly, they're incredibly immature in how they approach risk.

5. They're going to look pretty foolish in front of the board. Unfortunately, I've seen that play out.
It’s never pretty and it's never good news for the IT folks. They're realizing that they need to
come up to speed a little bit from a risk perspective, so that they won't look the fools when
they're in front of these executives.
They're used to seeing quantitative measures of opportunities and operational issues of risk of
various natures. If IT comes to the table with a red, yellow, green chart, the board is left to
wonder, first how to interpret that, and second, whether these guys really get it. I'm not sure the
role has changed, but I think the responsibilities and level of expectations are changing.
Gardner: Part of what FAIR does in risk analysis in general is to identify potential losses and
put some dollars on what potential downside there is. That provides IT with the tool, the ability,
to rationalize investments that are needed. Are you seeing the knowledge of potential losses to be
an incentive for spending on modernization?
Jones: Absolutely. One organization I worked with recently had certain deficiencies from the
security perspective that they were aware of, but that were going to be very problematic to fix.
They had identified technology and process solutions that they thought would take them a long
way towards a better risk position. But it was a very expensive proposition, and they didn't have
money in the IT or information security budget for it.
So, we did a current-state analysis using FAIR, how much loss exposure they had on annualized
basis. Then, we said, "If you plug this solution into place, given how it affects the frequency and
magnitude of loss that you'd expect to experience, here's what’s your new annualized loss
exposure would be." It turned out to be a multimillion dollar reduction in annualized loss
exposure for a few hundred thousand dollars cost.
When they took that business case to management, it was a no-brainer, and management signed
the check in a hurry. So they ended up being in a much better position.
If they had gone to executive management saying, "Well, we’ve got a high risk and if we buy this
set of stuff we’ll have low or medium risk," it would've been a much less convincing and
understandable business case for the executives. There's reason to expect that it would have been
challenging to get that sort of funding given how tight their corporate budgets were and that sort
of thing. So, yeah, it can be incredibly effective in those business cases.
Gardner: Correct me if I am wrong, but you have a book out since we last spoke. Jack, maybe
you could tell a bit about of that and how that comes to bear on these issues?
Freund: Well, the book is currently being written. Jack Jones and I have entered into a contract
with Elsevier and we're also going to be preparing the manuscript here over the summer and
winter. Probably by second quarter next year, we'll have something that we can share with
everybody. It's something that has been a long time coming. For Jack, I know he has wanted to
write this for a long time.

6. Conversational book
We wanted to build a conversational book around how to assess risk using FAIR, and that's an
important distinction from other books in the market today. You really want to dig into a lot of
the mathematical stuff. I'm speaking personally here, but I wanted to build a book that gave
people tools, gave practitioners the risk tools to be able to handle common challenges and
common opposition to what they are doing every day, and just understand how to apply concepts
in FAIR in a very tangible way.
Gardner: Very good. What about the conference itself. We're coming up very rapidly on The
Open Group Conference. What should we expect in terms of some of your presentations and
training activities?
Jones: I think it will be a good time. People would be pleased to have the quality of the
presentations and some of the new information that they'll get to see and experience. As you said,
we're offering FAIR training as a part of a conference. It's a two-day session with an opportunity
afterwards to take the certification exam.
If history is any indication, people will go through the training. We get a lot of very positive
remarks about a number of different things. One, they never imagined that risk could be
interesting. They're also surprised that it's not, as one friend of mine calls it "rocket surgery." It's
relatively straightforward and intuitive stuff. It's just that as a profession, we haven't had this
framework for reference, as well as some of the methods that we apply to make it practical and
defensible before.
So we've gotten great feedback in the past, and I think people will be pleasantly surprised at what
they experienced.
Freund: One of the things I always say about FAIR training is it's a real red pill-blue pill
moment -- in reference to the old Matrix movies. I took FAIR training several years ago with
Jack. I always tease Jack that it's ruined me for other risk assessment methods. Once you learn
how to do it right, it's very obvious which are the wrong methods and why you can't use them to
assess risk and why it's problematic.
I'm joking. It's really great and valuable training, and now I use it every day. It really does open
your eyes to the problems and the risk assessment portion of IT today, and gives a very practical
and actionable things to do in order to be able to fix that, and to provide value to your
organization.
Gardner: Jim Hietala, the emphasis in terms of vertical industries at the conference is on
finance, government and healthcare. They seem to be the right groups to be factoring more
standardization and understanding of risk. Tell me how it comes together. Why is The Open
Group looking at vertical industries at this time?

7. Hietala:: Specific to risk, if I can talk about that for a second, the healthcare world, at least here
in the US, has new security rules, and one of the first few requirements is perform an annual risk
assessment. So it's currently relevant to that industry.
Same with finance
It’s the same thing with finance. One of the regulations around financial organizations tells them
that, in terms of information security, they need to do a risk assessment. In government, clearly
there has been a lot of emphasis on understanding risk and mitigating it throughout various
government sectors.
In terms of The Open Group and verticals, we've done lots of great work in the area of enterprise
architecture, security, and all the areas for which we've done work. In terms of our conferences,
we've evolved things over the last year or so to start to look at what are the things that are unique
in verticals.
It started in the mining industry. We set up a mining metals and exploration forum that looked at
IT and architecture issues related specifically to that sector. We started that work several years
ago and now we're looking at other industries and starting to assess the unique things in
healthcare, for example. We've got a one day workshop at Philadelphia on the Tuesday of the
conference, looking at IT and transformation opportunities in the healthcare sector.
That's how we got to this point, and we'll see more of that from The Open Group in the future.
Gardner: Are there any updates that we should be aware of in terms of activities within The
Open Group and other organizations working on standards, taxonomy, and definitions when it
comes to risk?
Hietala:: I'll take that and dive into that. We at The Open Group originally published a risk
taxonomy standard based on FAIR four years ago. Over time, we've seen greater adoption by
large companies and we've also seen the need to extend what we're doing there. So we're
updating the risk taxonomy standard, and the new version of that should be published by the end
of this summer.
We also saw within the industry, the need for a certification program for risk analysts, and so
they'd be trained in quantitative risk assessment using FAIR. We're working on that program and
we'll be talking more about it in Philadelphia.
Along the way, as we were building the certification program, we realized that there was a
missing piece in terms of the body of knowledge. So we created a second standard that is a
companion to the taxonomy. That will be called the Risk Analysis Standard that looks more at
some of that the process issues and how to do risk analysis using FAIR. That standard will also
be available by the end of the summer and, combined, those two standards will form the body of

8. knowledge that we'll be testing against in the certification program when it goes live later this
year.
Gardner: Jack Freund, it seems that between regulatory developments, the need for maturity in
these enterprises, and the standardization that's being brought to bear by such groups as The
Open Group, it's making this quite a bit more of the science and less of an art.
What does that bring to organizations in terms of a bottom-line effect? I wonder if there is a use
case or even an example that you could mention and explain that would help people better
understand of what they get back when they go through these processes and they get this better
maturity around risk?
Risk assessment
Freund: I'm not an attorney, but I have had a lot of lawyers tell me -- I think Jim had
mentioned before in his vertical conversation -- that a lot of the regulations start with performing
annual risk assessment and then choose controls based upon that. They're not very prescriptive
that way.
One of the things that it drives in organizations is a sense of satisfaction that we've got things
covered more than anything else. When you have your leadership in these organizations
understanding that you're doing what a regular reasonable company would do to manage risk this
way, you have fewer fire drills. Nobody likes to walk into work and have to deal with hundred
different things.
We're moving hard drives out of printers and fax machines, what are we doing around scanning
and vulnerabilities, and all of those various things that every single day can inundate you with
worry, as opposed to focusing on the things that matter.
I like a folksy saying that sort of sums things up pretty well -- a dime holding up a dollar. You
have all these little bitty squabbly issues that get in the way of really focusing on reducing risk in
your organization in meaningful ways and focusing on the things that matter.
Using approaches like FAIR, drives a lot of value into your organization, because you're freeing
up mind share in your executives to focus on things that really matter.
Gardner: Jack Jones, a similar question, any examples that exemplify the virtues of doing the
due diligence and having some of these systems and understanding in place?
Jones: I have an example to Jack Freund’s point about being able to focus and prioritize. One
organization I was working with had identified a significant risk issue and they were considering
three different options for risk mitigation that had been proposed. One was "best practice,” and
the other two were less commonly considered for that particular issue.

9. An analysis showed with real clarity that option B, one of the not-best practice options, should
reduce risk every bit as effectively as best practice, but had a whole lot lower cost. The
organization then got to make an informed decision about whether they were going to be herd
followers or whether they were going to be more cost-effective in risk management.
Unfortunately, there’s always danger in not following the herd. If something happens
downstream, and you didn't follow best practice, you're often asked to explain why you didn't
follow the herd.
That was part of the analysis too, but at the end of the day, management got to make a decision
on how they wanted to behave. They chose to not follow best practice and be more cost-effective
in using their money. When I asked them why they felt comfortable with that, they said,
"Because we’re comfortable with the rigor in your analysis."
Best practice
To your question earlier about art-versus-science, first of all, in most organization there would
have been no question. They would have said, "We must follow best practice." They wouldn’t
even examine the options, and management wouldn’t have had the opportunity to make that
decision.
Furthermore, even if they had "examined” those options using a more subjective, artistic
approach, somebody's wet finger in the air, management almost certainly would not have felt
comfortable with a non-best practice approach. So, the more scientific, more rigorous, approach
that something like FAIR provides, gives you all kinds of opportunity to make informed
decisions and to feel more comfortable more about those decisions.
Gardner: It really sounds as if there's a synergistic relationship between a lot of the big-data and
analytics investments that are being made for a variety of reasons, and also this ability to bring
more science and discipline to risk analysis.
How do those come together, Jack Jones? Are we seeing the dots being connected in these large
organizations that they can take more of what they garner from big data and business intelligence
(BI) and apply that to these risk assessment activities, is that happening yet?
Jones: It’s just beginning to. It’s very embryonic, and there are only probably a couple of
organizations out there that I would argue are doing that with any sort of effectiveness. Imagine
that -- they’re both using FAIR.
But when you think about BI or any sort of analytics, there are really two halves to the equation.
One is data and the other is models. You can have all the data in the world, but if your models
stink, then you can't be effective. And, of course, vise versa. If you’ve got great model and zero
data, then you've got challenges there as well.

10. Being able to combine the two, good data and effective models, puts you in much better place.
As an industry, we aren’t there yet. We've got some really interesting things going on, and so
there's a lot of potential there, but people have to leverage that data effectively and make sure
they're using a model that makes sense.
There are some models out there that that frankly are just so badly broken that all the data in the
world isn’t going to help you. The models will grossly misinform you. So people have to be
careful, because data is great, but if you’re applying it to a bad model, then you're in trouble.
Gardner: We are coming up near the end of our half hour. Jack Freund, for those organizations
that are looking to get started, to get more mature, perhaps start leveraging some of their
investments in areas like big data, in addition to attending The Open Group Conference or
watching some of the plenary sessions online, what tips do you have for getting started? Are
there some basic building blocks that should be in place or ways in which to get the ball rolling
when it comes to a better risk analysis?
Freund: Strong personality matters in this. They have to have some sort of evangelist in the
organization who cares enough about it to drive it through to completion. That’s a stake on the
ground to say, "Here is where we're going to start, and here is the path that we are going to go
on."
Strong commitment
When you start doing that sort of thing, even if leadership changes and other things happen,
you have a strong commitment from the organization to keep moving forward on these sorts of
things.
I spend a lot of my time integrating FAIR with other methodologies. One of the messaging points
that I keep saying all the time is that what we are doing is implementing a discipline around how
we choose our risk rankings. That’s one of the great things about FAIR. It's universally
compatible with other assessment methodologies, programs, standards, and legislation that
allows you to be consistent and precise around how you're connecting to everything else that
your organization cares about.
Concerns around operational risk integration are important as well. But driving that through to
completion in the organization has a lot to do with finding sponsorship and then just building a
program to completion. But absent that high-level sponsorship, because FAIR allows you to
build a discipline around how you choose rankings, you can also build it from the bottom up.
You can have these groups of people that are FAIR trained that can build risk analyses or either
pick ranges -- 1, 2, 3, 4 or high, medium, low. But then when questioned, you have the ability to
say, "We think this is a medium, because it met our frequency and magnitude criteria that we've
been establishing using FAIR."

11. Different organizations culturally are going to have different ways to implement and to structure
quantitative risk analysis. In the end it's an interesting and reasonable path to get to risk utopia.
Gardner: Jack Jones, any thoughts from your perspective on a good way to get started, maybe
even through the lens of the verticals that The Open Group has targeted for this conference,
finance, government and healthcare? Are there any specific important things to consider on the
outset for your risk analysis journey from any of the three verticals?
Jones: A good place to start is with the materials that The Open Group has made available on the
risk taxonomy and that soon to be published risk-analysis standard.
Another source that I recommend to everybody I talk to about other sorts of things is a book
called ‘How to Measure Anything’ by Douglas Hubbard. If someone is even least bit interested
in actually measuring risk in quantitative terms, they owe it to themselves to read that book. It
puts into layman’s terms some very important concepts and approaches that are tremendously
helpful. That's an important resource for people to consider too.
As far as within organizations, some organizations will have a relatively mature enterprise risk-
management program at the corporate level, outside of IT. Unfortunately, it can be hit-and-miss,
but there can be some very good resources in terms of people and processes that the organization
has already adopted. But you have to be careful there too, because with some of those enterprise
risk-management programs, even though they may have been in place for years, and thus, one
would think over time and become mature, all they have done is dig a really deep ditch in terms
of bad practices and misconceptions.
So it's worth having the conversation with those folks to gauge how clueful are they, but don't
assume that just because they have been in place for a while and they have some specific title or
something like that that they really understand risk at that level.
Gardner: Well, very good. I'm afraid we will have to leave it there. We've been talking with a
panel of experts about the new trends and solutions in the area of anticipating risk and how to
better manage organizations with that knowledge. We've seen how enterprises are better
delivering risk assessments, or beginning to, as they are facing challenges in cyber-security as
well as undergoing the larger undertaking of enterprise transformation.
This special BriefingsDirect discussion comes to you in conjunction with The Open Group
Conference in July 2013 in Philadelphia. There's more information on The Open Group website
about that conference for you to attend or to gather information from either in live streaming or
there are often resources available to download app to the conference.
So with that thanks to our panel. We've been joined by Jack Freund. He is the Information
Security Risk Assessment Manager at TIAA-CREF. Thank you so much, Jack.
Freund: Thank you Dana.
Gardner: And also Jack Jones, the Principal at CXOWARE. Thank you, sir.

12. Jones: It's been my pleasure. Thanks.
Gardner: And then also lastly, Jim Hietala, Vice President, Security at The Open Group. Thank
you, Jim.
Hietala:: Thank you, Dana.
Gardner: And this is Dana Gardner, Principal Analyst at Interarbor Solutions, your host and
moderator through these thought leader interview series. Thanks again for listening, and come
back next time.
Listen to the podcast. Find it on iTunes. Sponsor: The Open Group
Transcript of a BriefingsDirect podcast about the how to achieve better risk management with
better analysis of risk factors and presenting that in dollars-and-cents terms. Copyright
Interarbor Solutions, LLC, 2005-2013. All rights reserved.
You may also be interested in:
• The Open Group Gets Under Enterprise Architecture, Business Architecture, and
Enterprise Transformation
• The Open Group Panel Explains How the ArchiMate Modeling Language and The Open
Group Architecture Framework Impact Such Trends as Big Data and Cloud
• The Open Group Conference Panel Explores How the Big Data Era Now Challenges the
IT Status Quo
• Using the Cloud for Big-Data Requires a New Recipe
• Big Data Success Depends on Better Risk Management Practices Like FAIR, Say The
Open Group Panelists
• The Open Group Keynoter Sees Big-Data Analytics Bolstering Quality, Manufacturing,
Processes
• The Open Group Trusted Technology Forum is Leading the Way to Securing GLobal IT
Supply Chains