Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

#ISC2Congress: FBI Calls for a Rational Non-Emotional Approach to Risk and Security

The information security industry needs to adopt rational models rather than emotional ones for risk management, according to the Deputy Assistant Director of the FBI, Donald Freese.

During the opening keynote session at (ISC)2 Congress in Austin Texas on September 25 2017, Brandon Dunlap, senior manager of security, risk and compliance at Amazon, interviewed the FBI’s Freese about “a brave new cybercrime world”.

Freese criticized the industry’s confusion over terminology, arguing that “talking about threats as risks does not give us traction. It confuses the message and causes the problem that we are crying wolf.

“Cybersecurity professionals get distracted by the threat because the threat is more fun. We’ve studied threats for decades but we need to get down to intent and capability”, he said.

Using emotion and fear to drive risk management conversations means that cybersecurity professionals are failing the fundamental message. “We should not lose sight of the fact that security is a service that we should be providing”, said Freese. 

Cybersecurity professionals get distracted by the threat because the threat is more fun.Donald Freese

The industry’s immaturity means that we are not yet dealing with an exact science, said the FBI’s deputy assistant director. “We focus on possibility rather than probability...but we need to be able to measure the probability of the threat. Risk management is all about prioritization.”

If security professionals lower risk in a measurable way, then “that becomes a rational model rather than an emotional model”, he said. “Those that are doing well in security are doing so because they are reducing risk in a measurable way.

“We need to think about responding rather than reacting, because reacting is emotional.” CEO’s, he said, will only truly be able to respect their CISO when he/she is being totally rational.

Freese spoke of the importance of building robust relationships with your CEO and board and “earning the right to sit at the table.” Respect, he said, is about consistent trust over time.

Finally, Freese invited the audience to build relationships with their local field office. “We’re out there talking to organizations on a regular basis. We’re very relationship-driven at the FBI and concentrate on building robust relationships with communities all over the world. You can talk to us”, he offered.

What’s Hot on Infosecurity Magazine?