Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.
This week we are joined by Mimecast’s Regional CISO for APAC, Mark O’Hare, who shines a light on the three common CISO persona types (the technical, the compliance, and the risk focused), their trademark strengths and how these personas can influence an organisation.
We also discuss how and why MITRE ATT&CK Framework is useful and the utility of FAIR or Factor Analysis of Information Risk - including its strengths and where it falls short.
The Get Cyber Resilient Show Episode #88 Transcript
Garrett O'Hara: Welcome to The Get Cyber Resilient Podcast. I'm Garrett O'Hara, and today, we're joined by Mimecast's regional CISO for APAC, Mark O'Hare. Mark joined us back in October, 2020 for a conversation on the CISO challenges in a public company. Today, we get into persona types for CISOs: the technical, the compliance, and the risk CISO, and how that shows up in an organization. We talk MITRE ATT&CK framework and how and why that is useful. And we get into the wonderful world of risk analysis models, including a discussion on the utility of FAIR or factor analysis of information risk, which has become a bit of a darling of the industry. We talk through why it's good, and some of where it falls short. Over to the conversation. Welcome to The Get Cyber Resilient Podcast. I'm Garrett O'Hara, and this week I'm very, very happy to welcome a repeat guest who is Mark O'Hare, a regional CISO for APAC. How are you doing today, Mark?
Mark O'Hare: Really good. Thanks Garrett. And thanks again for having me on The Get Cyber Resilient Podcast. Great to be here.
Garrett O'Hara: It's absolutely wonderful to have you on. I'm glad we get to record the conversations that I feel like we end up having off mic so often about some of the stuff we're gonna talk about today. So very much looking forward to it. For listeners, Mark has been on before. If you go back to season two Mark was actually Episode 36. You can hear his, his full and varied journey to get to the point where he is a, a regional CISO for Mimecast. So we'll take a shortcut today and and sort of get straight in.
Mark one, one of the things, one of the many things that sort of you and I have been talking about, and you've been helping our organization understand is around the different types of CISOs and that idea that obviously like most roles, everybody, isn't the same. There's a human factor. There's a, a history factor, you know, where people have come from before. But I've found your, your kind of categorization or how you think about CISOs and security leadership really interesting. It would be great to hear from you like in... And how you've kind of categorized CISOs by their persona or types and kinda walk us through those and, and even how they operate differently.
Mark O'Hare: Yeah, sure, Garret. So I mean, I'll start this by saying, you know, broadly speaking, all CISOs are some blend of the, the personas that I will discuss. There is no right or wrong here. It is just my observations over, you know, sort of the last decade of working with working with security people and in the security industry.
So the way I like to categorize the three major groups of, of CISOs that I, I typically come across is we have the technical technical track CISO which I feel at this moment is still the most common CISO that I come into contact with. And these are folks who are likely to report into the CIO and the CIO's organization. They have a strong IT control and technology focus in their, in their backgrounds. Great technical skills and knowledge. They've often grown up through the, the technical track initially and moved into security. They're often also, because they're working in the CIO's rheme, they often are quite influenced by the CIO's agenda themselves and, and fall under the, the vision of the CIO to an extent, and that can be a, can be a positive or a negative, you know, depending on the type of CIO you're reporting into.
So, so that's the technical CISO. Then there's the compliance-based CISO, which I see as the, sort of the least common CISO that I come across. But they've typically come from a, a background of, of compliance and therefore compliance becomes the security team's objective. They're using standards to prioritize and motivate projects. They're using tick boxes often to, you know, to ensure that they are meeting the requirements of the standards that that they align, align with. So they will have chosen a risk framework. They will common, commonly understand that risk framework really, really well. And you know, they'll be looking for compliance-related outcomes, so passing audits and you know, like I said, meeting the requirements of the standards that they've chosen to align with.
And then the third broad category. And bear in mind, this is a Venn diagram as well. Each of these roles overlap in parts with with the others. There's no such thing as purely a technical CISO or purely a compliance CISO. So the third one is the risk CISO. And again, there's no risk-only CISO. So this risk CISO they're typically focused on reducing you know, surface factors, the, the, they're in interested in, in gathering metrics and, and, and using data analytics to understand where they need to prioritize their efforts. So they will have a strong risk analysis methodology that will then help them understand where they, where they should be applying resources. You know, typically that's people and processes and, and technology.
Far less control concerned about the actual IT control or the technical control that's being implemented. They're more focused on the outcome of that thing, whatever it, it might be. And the reporting lines of of that type of CISO and the organization that they typically work in, which is again, more more likely to be a, a more risk mature enterprise type organization. They may not actually report into the CIO. In fact, it's unlikely that they do and their reporting lines will typically be CFO chief risk officer or CEO type reporting lines.
And yeah, so tho- so those are the three personas, sort of technical compliance and risk personas that, that I've seen over the, over the years. Now, while there are these three different types of CISOs, all of them will be concerned with efficacy of their security controls that they've put in place, the efficiency of those controls and, and, you know, maintaining their team's credibility. So while they may have different ways of coming at the problems at the end of the day, they're all concerned with the, the same types of, of things: you know, the organization not getting breached, not having data loss events and, and so forth.
Garrett O'Hara: Yep. Yeah, I definitely get that. You sort of described that as a, a Venn diagram. And, you know, when I think about that, it's a point in time with circles of a certain size. As you kind of think forwards and maybe, you know, coming from the past and, and we're at a point in time and then going forward, which, which of those circles do you think is getting bigger in terms of like popularity or approach, or, or do you even see any trends in, you know, in terms of what persona types or what, what's being seen as most valuable as a CISO type?
Mark O'Hare: Yeah, I think I am observing trends there. It's not terribly obvious. But what I am seeing is a move more towards the risk focused CISO and kind of away from the more technical CISO. And, and I think that is as organizations become more mature around risk in general and start rolling their cybersecurity program into their overall risk program, it helps to have a a manager or a leader of the security team that is also risk focused, uses that as their way of focusing their priorities and aligning resources and building their projects around that sort of stuff.
So I would say that that is probably the persona that is gathering the most momentum, but I do feel on the, that, that the technical CISO is still the most, the most common. You know, typically in the smaller SMB space it's very technical-focused. And in the enterprise and much larger organizations or, or more mature, maybe not necessarily larger, but more mature on a risk in their risk processes, then that's where you will see more of those CISOs emerging.
Garrett O'Hara: Awesome. As you're talking through that, one of the things I suspect shows up is maybe differences in leadership style and, you know, somebody who's very technical versus somebody who's maybe more, you know, when I think of, of sort of risk, you almost think of like you know, actuaries and, you know, people are sort of very good at numbers and, and sort of-
Mark O'Hare: Yeah.
Garrett O'Hara: ... that, you know, almost insurance mindset. It'd be great to hear, like if you've observed or sort of seen in your day to day like different leadership styles showing up with those different persona types?
Mark O'Hare: Yes, I know ab- absolutely. So in terms of the, the technical CISO, what we tend to see there is that they are very focused on tactical and operational security. So they're pretty hands on the, on the tools or at least asking you know, very technical questions of, of their teams to understand, to understand what's going on. And they may also have shifting priorities based on, you know, the current concern and that may be their own personal concern around some something around security or, you know, what's, what's the industry talking about at the moment, "Oh, we better get on board with that sort of thing." So, you know, they have this le- less strategic focus and it's more sort of tactical and operational-focused. And obviously that is then the way they will lead their, lead their teams.
On the risk side of things, you know, often the, the risk leaders they've come from things like areas like military or law enforcement or other senior management fields and that influences their, their leadership style for, for sure. They will be very data and metrics-driven. So they're less interested in the tools that their teams are using and, and how that tool operates. They're more interested in the outcomes of the use of those tools. Are these things, you know, can we show through data and, and metrics that these tools that we are using are appropriate for the job? Are they meeting our team's objectives? You know, and they, they're not likely to get involved in proof of concepts. You know, they, they're gonna leave that up to the technical team to, to run the proof, proof of concepts. And, but they, they will then want to see the results of of that through metrics and, and data analysis to show that the tool is the right thing, it's going to do the, the expected job.
The, the risk-focused CISO also I think they, they see the benefit of a, an ecosystem approach. So will have their teams work on a systems, systems approach, and we'll push their teams to integrate all of their security investments as best as they can to try and get that you know, the, the the whole is greater than the sum of the parts approach to, to the systems that they're, that they're implementing. So it's more a strategic view and a strategic focus and leadership through strategy and understanding. The team understands strategy, and then the rest of the team are more focused on the sort of tactical and operational aspects of of the program.
Garrett O'Hara: Yep. No, I get you. I get you. Let's, let's change tachs completely. You, you, you've sort of, of been doing some interesting work that you were kind enough to, to chat to me off mic about-
Mark O'Hare: Mm-hmm [affirmative].
Garrett O'Hara: ... in terms of the MITRE ATT&CK framework. And look, it's been around for, for quite a while now. I think it's 2015 when it sort of came out originally, and it's like, it's been just incredibly popular and, and widely adopted and, and feels like it's become the language of our, our industry.
Mark O'Hare: Yeah.
Garrett O'Hara: Why do you think it is that we kind of saw that, you know, just massively widespread adoption?
Mark O'Hare: Yeah, sure. Yeah, I think it's, I mean, even before 2015, I think they started earlier maybe a couple of years be- before that, but you're right, it's been it has been around a long time still remains relevant today. So I think it's popular because it, it's evolved with the, the threat landscape. So, you know, it's, because it's evolving, it does remain relevant over time and it's based on real world observations. So these are you know, the, the, the framework is built around analysts who have investigated many, many real world breaches and have worked out this the attacker's life cycle and kept it, kept it up-to-date over time. It also allows security professionals to, to understand attacker models and the methodologies, as well as the, the mitigations for you, you know, against the attackers methodologies through MITRE's published tactics and, and techniques.
It also provides for us a, a common language or, or taxonomy for security professionals to use, but also not just security professionals, but organizational alignment around what's happening. I think organizations can quite well understand the, the MITRE framework. It's pretty, it's pretty simple to, to, to understand and at, at a high level. So that has certainly helped there as well.
It also provides for us a, a great baseline for implementing a broad range of controls, again, across that attacker's li- life cycle. It helps identify where the organization's weaknesses and gaps in their program are and allows you to go fix those, those weaknesses and gaps. It directs you in where to focus your prevention efforts, your detection efforts, your response activities. You can then take logs from your security systems and figure out which of the tactics and techniques, MITRE's tactics and techniques that you can actually detect and identify and alert on. And this gives your SOC a tremendous visibility into an ent- the entire attacker's life cycle, and, you know, gives you multiple points at which to to prevent and and, and detect critically detect when an attacker is has breached or is, is is sniffing around your, your environment.
Garrett O'Hara: Yeah. Do you think there's something there? Like you mentioned, the tactics and techniques and, and the MITRE ATT&CK framework is, is, you know, it's available online. It's very, very detailed.
Mark O'Hare: Yeah.
Garrett O'Hara: You know, you can go levels deep in terms of the tactics and techniques. And as you say, kind of go end to end. Is there... Like, have you ever used in, in the past anything that kind of compares in terms of that level of detail? 'Cause I know there's other threat models and, and frameworks out there. You know, there's STRIDE. There's a bunch of different ones out there, but they, they feel more like they're approaches and, and sort of high level, whereas the MITRE ATT&CK framework just seems of that level of detail that, you know, opens it up as a useful tool in a way that others don't.
Mark O'Hare: Yeah. Yeah.
Garrett O'Hara: Is that fair to say or?
Mark O'Hare: Totally, totally fair to say. I mean, STRIDE, you know, Spoofing, Tempering, Repudiation Information Disclosure, Denial of Service, Elevation of Privilege. That's, that's your, you know, your six your six threats. And you contrast that with with MITRE that has, you know, several hundred techniques. So it's a much more granular model for you to use. You know, again with STRIDE and other threat modeling you, you're trying to answer a question, the question of what can go wrong in the system we're, we're working on? And that's essentially what the threat modeling is supposed to tell you. And, you know, you're looking at your assets and saying, "Well, because it's this asset and this is how it works, and this is the data on there, and the sensitivity of that," you know, you are you're able to then come up with some sort of threat modeling around what, what can go wrong.
But it is not nearly as granular as the, as the MITRE ATT&CK framework. And you know, you may not be thinking of all the ways that an attacker will, will actually attack the system and therefore what can go wrong in the system. Whereas MITRE gives you many, many tech techniques that you can actually go and specifically research. "Okay, are we vulnerable to this particular technique? Put a tick in the box if we are. If we are not, okay, can we detect if someone's abusing this technique?" You know, if you can, yeah, put a tick in that box. You know, if not you're adding that to a list of, you know, we've gotta go and put prevention in this place and detection. And, you know, what's our response if one of these things does does happen? If if one of these threat actors does actually take advantage of, of one of the, the techniques? So it gives you far more granular understanding of the attacker's lifestyle sorry life cycle.
Garrett O'Hara: [laughs] And, and probably their lifestyle comes from that too, making tons of money and buying-
Mark O'Hare: That's right. Their lifestyle is to-
Garrett O'Hara: ... crazy, flashy Lamborghinis.
Mark O'Hare: ... to drive fast cars. Exactly.
Garrett O'Hara: Yeah. There you go. Yeah, I mean, MITRE outside of the ATT&CK framework, I mean, they, they have such a broad range of other things that they've done outside of even cyber. It's just a, it's a phenomenal organization.
Mark O'Hare: Yeah.
Garrett O'Hara: One of the things as you were chatting there Mark, that occurs to me is that they've, it feels like it's hit a kind of critical momentum or a critical mass where, because of that level of granular detail and because it's so widely adopted, its, its kind of utility increases because it is so well-maintained. It's like, it is that kind of common framework that it hasn't it hasn't aged out, you know, it hasn't aged like milk. It's been-
Mark O'Hare: Yeah.
Garrett O'Hara: It's been maintained and stayed relevant for that reason. And, and one of the things you mentioned that I think is actually very important, but it's that idea of commonality of language and how important that is for context within organizations, for sure. But then as you're talking to, you know, peer CISOs in other organizations or as part of any associations you're in, like, I'm guessing that that starts to load up a really good way to talk about potentially the same experience or data sets, but using that common language. So very keen to hear if you've got any perspective on how it's gonna help your communications internally, or, you know, with vendors, for example, or, or even with CISOs from other organizations?
Mark O'Hare: Yeah. Yeah. Yeah, absolutely. I mean, in, in terms of vendors, it's great when vendors' products will point you at the... You know so those vendors' products logs will point you at the tactics and techniques that they are detecting along the way that helps you as you are working working against your MITRE ATT&CK framework and trying to figure out whether you can prevent and detect things. Whether whether that product actually does what you're expecting it to do.
It also really helps your, your security team understand what are the, what are the things that we need to be doing and find those gaps and plug those gaps quite quickly. So it does give you that common understanding across your team across the, the, you know, the cybersecurity industry. And, and I think, again, the reason why it's so popular is because it is, it's constantly evolving and it is based on real-world observations. So it's very powerful from, from that perspective that, you know, it's highly relevant to, to today's world.
Garrett O'Hara: Yeah, no, absolutely. Another, I suppose, another pivot and I wanted to kind of circle back on, on some of what you spoke about earlier in the conversation. Like you've been doing the CISO gig for quite some time now, and, you know, you've talked about that kinda the emergence of, or the, the kind of rise in popularity of a, you know, air quotes, risk CISO for want of a better expression. Would love to get your thoughts on how you've seen the use of kinda risk analysis change over the time you've been doing the gig of CISO.
Mark O'Hare: Sure. So you know, Mimecast, we started with ISO 27001 back in sort of 2010, 2011. And we finally got certified in 2012. And as part of that, we started a, you know, risk management program. So we've had one in place for a, for a long time. Back in the day, it was you know, qualitative risk analysis. That's using ordinal scales, like you know, numbers one to five, or green, yellow, red to describe risks to your organization based on likelihood multiplied by impact. It was quick and easy to do but is very open to bias and kind of inconsistencies and it's highly subjective.
You know, and there's some other challenges that that came out with qualitative risk analysis. For example, you got a bunch of red got a bunch of red risks. Which one is actually the reddest? You know, answering those sorts of questions, like how much risk do we have in the organization and as it relates to cyber security? Or are we spending too much or too little on security? You can't answer those sorts of questions with a, a one to five scale on risks or the, you know, green, green, amber red sort of scale.
So what I've seen is a, a shift more towards the quantitative risk analysis and specifically you know, we use internally now we've shifted toward to, to the FAIR Model. And you know, that addresses the, the prioritization problem. What should we be working on by through economic terms, you know, dollars and cents as the measurement? Rather than a, a fairly arbitrary ordinal scale. You know, it gives a, it gives a probable loss exposure for any given risk and, you know, along with dollar values for that. So it becomes really powerful as you start talking to other stakeholders in the organization.
So you know, we spoke yesterday about this quantitative risk analysis, and I'd said to you, it's, it's fantastic as you move into the organization. It's a fantastic way of bringing your risks to say the CFO and saying, you know, this is what our risks could cost us. And then you can measure that up against some of the other risks that other parts of the business are bringing, you, you know, investing or not investing in R&D or, or other, other things that the organization needs to invest in: marketing and sales and all of that sort of stuff. So it gives you a great way to to present your risks in a well-understood dollar, you know, economic terms.
And I was sort of saying to you, that's it's rest less relevant when your organization is not a very risk mature organization. And, you know, so you don't get to compare your risks with with other risks on financial terms. But I was thinking about that some more, and actually even in isolation, even if it's just your security team, at least it helps your security team really prioritize their efforts. It is easier to prioritize efforts based on quantitative risk analysis and having you know some, some sort of annualized loss, exposure, curves, those sorts of things that it really gives you much better laser focus on the things that you need to focus on as a security team. So not, not even just for the mature organization that has you know, a, a more mature risk analysis program and risk committees and things like that, but actually is relevant even if in the, in the absence of that.
Garrett O'Hara: Yeah, absolutely. Yeah. I mean, one of the things as I kind of look at FAIR that I, I think makes a lot of sense to me, and it won't be just how my brain is wired is that it sort of, it codifies or provides a taxonomy for the conversation also, you know, and it gives a, a fairly formalized approach to... I mean, it's, it's an imperfect science, right? It's I mean, partly, part art in some points, but like it gives you a better way to get to that ultimate sort of dollar value for risk, and also have the adult conversation leading to your exact point around, you know, what's the minimal expected and maximum, and then the most probable values, but that's, that is so different from, you know, the, the pretty colors. I mean, I think we'll all miss the, the beautiful you know, dashboards and heat maps, which like actually, you know, I'm kind of being frivolous there, but I don't think they go away. They, they still have value in terms of communication, so-
Mark O'Hare: Correct. And you can actually co- you can convert FAIR output into reds, ambers, and greens. It is part... It's, it's quite easy to do that.
Garrett O'Hara: Yep.
Mark O'Hare: You know, and then when someone comes and says to you like, "How did you get to that red or amber or green?" You can then dive into the details of your FAIR analysis of that particular risk and show them how you got there. With you know, with the, the qualitative risk analysis you can't really do that so well. It's not, it's not easy. And so I'll give you an example of FAIR output versus you know, non-FAIR output as it relates to a risk statement.
So so, so here's a CISO talking to the CFO and the C, the CISO says "The threat of ransomware to our business has changed this year from a low to a medium. Or it's gone from a green to a yellow. Or it's gone from a one to a three," right? So that's the statement to the CFO. So we need X amount of money, and the CFO has no idea whether they need that sort of money, and you know, what it's gonna cost if this all goes wrong. Versus a FAIR risk statement is more along the lines of, there is a 10% probability that our business will incur a loss of $150,000 in the next 12 months due to ransomware.
So you're talking about the same thing ransomware, but in the second statement there you've really given the, the, the CFO the ability to understand what the impact in dollar terms and economic terms are to the organization. And then when you say, "Well, you know, we need $100,000 for the technology that will prevent this." It's a much easier thing for the CFO to, to understand that risk and then either approve or deny the budget.
Garrett O'Hara: And, and you raised an interesting point around, you know, the communication with the, the people who hold a checkbook quite often, and one of the things that has been a, you know, really long going conversation in our industry is about, you know, business communications and how often, you know, you see CISOs struggling to get budget or to get approval for programs of works. And there's often been that conversation around, you know, the language used and converting it into, you know, simplified terms.
Actually, what I think what you've just described is, is actually what you're doing there is almost like translating it into meaningful language for a board or, you know, finance teams, so that-
Mark O'Hare: Sure.
Garrett O'Hara: ... they can actually understand the context of, you know, what's the risk, what the cost? And, you know, make that decision on spend versus not spend. But, you know, if they, if, if there is a decision not to spend, it's made with eyes wide open, as it is if there is a decision to, to, to to spend. So like it makes a lot of sense to me.
Mark O'Hare: So it's a database decision, you know, rather than a subject of this is what I think might happen. This is, you know, the likelihood and this is the impact. I'm just taking a guess at those two things. Obviously FAIR, you know, there's some subjectivity there as well. You are you are having to make some sort of educated what I call educated guesses around things. But with FAIR, you, you know, you have things like what's the minimum number of, of times a year this might happen? What's the maximum? And what's the most likely? And then you can model things between those three things, right? Monte Carlo simulations will allow you to to model the, the, the risks and your annualized loss exposure based on those kind of those inputs where you are able to vary the inputs and check, "Okay. So, you know, what and how does that change the, the, the loss magnitude if I change some of the inputs?"
Garrett O'Hara: Yeah. Most definitely. And things like, you know, without getting into the weeds or resistive strength and, and, you know, those kind of things where you-
Mark O'Hare: Yeah.
Garrett O'Hara: The things you can change, right? There's, there's some things you can control, some things you can't, but you know, being able to change the ORs feeds right up into your point about the overall, overall risk. It'd be good to get your thoughts actually you know, because this, you know, this is painting a very rosy picture of of you know, FAIR as a kind of risk analysis model, but nothing's perfect. It'd be good to get your thoughts on any kind of gotchas or downsides to FAIR as a model.
Mark O'Hare: Yeah. I think one of the negatives is that it's relatively simple, you know, so you got just a few variables that are going in there. So some of the, the feedback on it is it's, it's like it's oversimplified. But if you contrast that to the qu- the qualitative risk analysis, it's, you know, that's even more simplified. So again, it's better than the previous way of doing it. Or, you know, when I say previous, lots of people are still doing the qualitative stuff, but I think the quantitative is gaining traction. And I feel that you know, that does make it a, a stronger model. So there's that.
There's also, like I mentioned, there is still some bias and inconsistency involved. If you get some different people inputting you know, what's the, what's the frequency? Say contact frequency. You know, someone might say, "Oh, probably 10 times a year." And another analyst may say, "I think it's 100 times a year." but again, because you're using sort of minimum, minimum, maximum and likely values in there, you know, maybe the, the, the one person says, "Well, I think it's minimum is, is 10 and maximum is maybe 150 times in a year." And the other person's saying, "Well, it's 100 and it's... You know, minimum's 100 and maximum's 200. There's still some decent overlap in there."
But I think that is, that can also be a problem is that it's there is some subjectivity in in inputting, you know, contact frequencies and probability of action and, you know, threat capability type stuff. So that there is a, is a drawback, but like I said, the Monte Carlo simulation, which once you look into it is actually not that difficult tends to take care of that. And, and you come out with a, a probability. This is not an exact science. You know, none of us can predict the future. So we have to accept that you know, we've gotta, we've gotta do something and, and this is a, this probability and annualized loss exposure curves are a really good way of, of understanding it and eliminating a fair bit of bias and inconsistency.
Garrett O'Hara: Yeah, definitely. And, and you, you sort of allude to the part of what FAIR addresses is the kind of accuracy versus precision problem also-
Mark O'Hare: Yeah.
Garrett O'Hara: ... and the sort of temptation to put an exact amount on something-
Mark O'Hare: Yeah, it's-
Garrett O'Hara: ... when it's absolutely [crosstalk 00:32:34].
Mark O'Hare: ... it's highly precise, yeah. Yeah. Yeah. Yeah.
Garrett O'Hara: Yeah, exactly.
Mark O'Hare: Yeah. I mean, yeah, risk is it's uncertainty. [laughs] It's-
Garrett O'Hara: Yeah.
Mark O'Hare: ... you know, it's-
Garrett O'Hara: And we all need to make a peace with that. I think it's, and, and, and I think that can sometimes be harder because I think in life in general... This is turning into, you know, an Oprah podcast, but, you know, [laughs] people, people feel better at certainty. That's just how we're wired as human beings, but actually that just doesn't exist quite often.
Mark O'Hare: Yes.
Garrett O'Hara: And one of the comments I've heard made in our industry is that you, you see the, the sort of risk approaches that have worked for natural, you know, natural causes. So, you know, hurricanes or floods, try to be applied to things where you've got actually delivered attackers. These are, you know, they're, they're thinking human beings sentients. They're not... It's not a, a random force of nature. You know, there's, there's other things at play here. And then some of the models don't really work, but it feels like FAIR goes to some way to you know, having that adult conversation around probability, and this is guesswork and it will only every be guesswork. And and that's where we're at.
Mark O'Hare: Yeah. Yeah. And that's what I think you know, the risk-based CISO understands that this is, there is still some uncertainty in here. But actually we've got a fair bit of data that we've modeled this off. And the data is telling us that these are the most likely or most probable things and probable outcomes. And so this is where we really need to focus our, our activities. You gotta focus your activity somewhere. We all have limited resources, budgets, you know people in our, in our team. So we gotta focus it somewhere. And this helps you, this kind of thing, this fair analysis helps you focus on the right stuff.
Garrett O'Hara: Phenomenal. Wise words to to finish up here. And, and as we're talking, I'm probably thinking, should we just record the, the conversations we have in between your appearances on the podcast, and then I'm just gonna do a mashup of all the stuff that you say along the way? But mark, so, so good to, to have you back on and yeah, look forward to the, the next time you're, you're able to join us for another interesting conversation. Thank you for joining us.
Mark O'Hare: Great. Thanks for having me.
Garrett O'Hara: Thanks so much to Mark for joining us and as always, thank you for listening to The Get Cyber Resilient Podcast. Jump into our back catalog of episodes and like and subscribe. And please do leave us a review. For now, stay safe, and I look forward to catching you on the next episode.