Embark on an inspirational cyber journey with John Feezell, who proves that with passion and an unquenchable thirst for knowledge, the leap from music to mastering the intricacies of IT and cybersecurity is not only possible but can propel one to become a leader in the domain of cyber risk quantification. This episode peels back the layers of John's career, revealing how he harnessed every learning opportunity, from IBM's corridors to the continuous pursuit of certifications, to redefine his trajectory. His message resonates with an unmistakable clarity: the tech world's doors are wide open for those willing to embrace growth, regardless of their educational origins.
John's candid reflections on professional development extend beyond conventional classrooms, underscoring the potency of audiobooks and the art of wielding 'idle brain' moments as tools for intellectual expansion. Sharing his personal recommendations, including titles like "How to Measure Anything in Cybersecurity Risk," he illuminates how integrating learning with life's projects can profoundly shape one's expertise. Furthermore, John takes us through his evolution as a public speaker, sharing invaluable strategies that transitioned him from nervousness to delivering powerhouse presentations, like his thought-provoking discourse at The Open Group Summit. His forward-looking insights on the FAIR framework encapsulate a vision for a more accessible future, where structured thinking becomes a universal asset in the dynamic landscape of cyber risk.
Copyright © The Open Group 2023-2024. All rights reserved.
Embark on an inspirational cyber journey with John Feezell, who proves that with passion and an unquenchable thirst for knowledge, the leap from music to mastering the intricacies of IT and cybersecurity is not only possible but can propel one to become a leader in the domain of cyber risk quantification. This episode peels back the layers of John's career, revealing how he harnessed every learning opportunity, from IBM's corridors to the continuous pursuit of certifications, to redefine his trajectory. His message resonates with an unmistakable clarity: the tech world's doors are wide open for those willing to embrace growth, regardless of their educational origins.
John's candid reflections on professional development extend beyond conventional classrooms, underscoring the potency of audiobooks and the art of wielding 'idle brain' moments as tools for intellectual expansion. Sharing his personal recommendations, including titles like "How to Measure Anything in Cybersecurity Risk," he illuminates how integrating learning with life's projects can profoundly shape one's expertise. Furthermore, John takes us through his evolution as a public speaker, sharing invaluable strategies that transitioned him from nervousness to delivering powerhouse presentations, like his thought-provoking discourse at The Open Group Summit. His forward-looking insights on the FAIR framework encapsulate a vision for a more accessible future, where structured thinking becomes a universal asset in the dynamic landscape of cyber risk.
Copyright © The Open Group 2023-2024. All rights reserved.
Welcome to Open Comments with myself Ash.
Speaker 2:And me Irene.
Speaker 1:A show that opens a conversation onto career advice, career journeys, lifelong learning and more. Through this innovative podcast, we'll be offering insightful dialogues with an equal mix of humour and candor. Join us as we embark on an engaging conversational journey with a diverse set of guests from different walks of life. We hope you enjoy our show and look forward to bringing more topics into the fold for you through each episode. Let's dive in.
Speaker 2:With us today is John Feasel, who is a recognised leader in the field of cyber risk quantification and is the global CRQ lead for the Kindrel Global Security and Resiliency practice. John came to Kindrel at its launch of two years ago with 20 years of security systems expertise, tempered in the fires of IBM services, as well as four years in the insurance industry with Blue Cross, blue Shield and Unum. As a passionate evangelist of the fair standard, john is leading the charge to launch Kindrel service offerings related to CRQ and third-party risk management, as well as coaching many to achieve fair certification through mentoring and boot camps. We look forward to speaking to you, john, about your career journey, advice you have for graduates and more.
Speaker 3:Excellent, it's wonderful to be here, ash. Irene, thank you for having me.
Speaker 1:Thank you. Now to start off with, can you walk us through your career journey from the beginning and what sparked your interest in your field?
Speaker 3:Oh goodness. Well, my career journey started with IBM. We'll go to that point. I actually have a degree in music, so my degree is in trumpet performance and along the way I was amazed to find out so many of my peers at IBM also had music degrees. And so I think, as we peer into the abyss of the needed numbers of cybersecurity personnel and folks to walk into those positions, I think first of all I would encourage folks if you have an interest in this, if it sparks you in some way, don't look at your history, look forward and you can accomplish this. There are ways to do that.
Speaker 3:So, with my personal journey, I started with IBM, but not doing any programming or anything like that. I actually started replacing what they called FRUs field replacement units and what this meant was Ash, I would drive up to your business location. I would bring in a box, unpack the box and put a new display or a new keyboard on your desk that was under warranty, make sure that it worked and walk on to my next call. That was actually my beginning in IT. I began to learn a lot. There was a lot of on the job training, learned a lot about the workstation piece.
Speaker 3:At that time there was also not a depot for sending your laptop in or getting a hot swap laptop, and so I remember many times being in an executive's office sitting on their couch next to their coffee table with their laptop completely disassembled in many, many different pieces, as I was replacing an LCD screen or a keyboard. So that was the origins. Then I began to tag along and get some OJT with some folks that were working on the servers and began learning more about that. So the education process never has stopped since then. But that was a pretty humble beginning, and so I think, in terms of encouraging folks who might be looking into or interested in security as a possible pivot or as a possible job career type of track, even if you haven't been doing those things in the past, it's wide open. You just got to. You know the waters great, dive in.
Speaker 2:And what has initially sparked your interest in the IT field, going from being a music major?
Speaker 3:Well, that was interesting as well. So my father was a programmer in Pascal and some other things back when he used to do his programming on punch cards and we moved to Texas when I was in third grade because USAA was there and he was assigned as the head of group research and did a lot of programming on their mainframe and so forth. But he would bring home things like, For example, the TI-99, I don't know if you remember those old types of pieces of hardware that we used to get and we would write programs and record those programs on an audio cassette player. It would go like that and it would record the code that we had written. And so you know, I can remember in middle school and in high school playing with those things, and so that was kind of the origins of my interest in computing.
Speaker 2:Oh wow, so you were exposed to it from a fairly young age then, and so it's always just been right there on the back of your mind.
Speaker 3:Yes.
Speaker 2:And so when you were first, when you first decided that you might have an interest in IT, was there, did you go back to school, or how did you start that educational journey?
Speaker 3:Well, there was with IBM. There were lots of opportunities for education, but also some external education opportunities with ISC squared, another group you may be familiar with in my pursuit of CISSP certification. There was a lot of education to be done there. I've taken advantage of a lot of books and online courses. Audio books has been a big thing for me. I consume lots of audio books, audible books, and oftentimes consume them over and over and over again.
Speaker 1:And continuing on your educational journey. How important is lifelong learning to you? What would you say is your learning style?
Speaker 3:Oh, my learning style is, if I'm awake, I'm trying to learn something new. You know I mentioned the audible books. There's also a tremendous amount of webinar content out that is available. Of course. The open group and the security forum under the open group They'll have webinars. All of those are great, great opportunities. Also, the Cientia Institute has great learning opportunities in both their publications as well as their webinars. If you are able to become a member of ISC squared, there's a tremendous amount of learning materials there as well.
Speaker 3:About a decade ago I bought a 40-acre farm and moved out here, so I no longer have a gym membership. My farm is my gym membership. So you know I'm out. There's lots of things to be done maintenance-wise and most of the time when I'm outside you'll find my earbuds in and I'm actually listening to books and doing some education there as well. But it has to be a part of every day as I apportion my time out and meetings and so forth. There's lots of important things and this has to remain prioritized. If you prioritize it out somewhere in the future, it's not going to get done. It has to be a daily prioritization and it can be as little as 15 minutes. You know reading a few pages in a book and then pausing to contemplate how you can apply those things. But that exercise of that muscle, if you will, that muscle memory in your brain, you have to keep that up every day.
Speaker 1:And would you say in terms of how you prioritize, would you say that's also linked to staying focused, in terms of you know how you break things down, how you allocate time to certain things in quite structured and organized way. So yeah, would you say it feeds into how you say focused.
Speaker 3:Oh, absolutely, it enables that focus. Yeah, it's key to that. Yeah, it's key to that.
Speaker 1:Perfect, thank you.
Speaker 2:And John, you had mentioned that you like to spend some of your time listening to audiobooks, and some of the audiobooks that you like to listen to repeatedly. Are there any that you'd like to share with the audience that you would recommend?
Speaker 3:Well, sure, I'd be happy to. So one of the primary ones. And if you're listening in audio format you have to be careful. If there's lots of formulas and maybe descriptions of calculations, those chapters you might have to just read and listening to them, your eyes kind of glaze over. But and the reason I say that is the first one I would put on the list, and these are all available, available in Audible, audiblecom, through Amazon and probably some other venues as well. But this is a standard, a classic for my area of expertise, which is cyber risk quantification, and so this is, of course, the Doug Hubbard and Richard Siresons how to measure anything in cybersecurity risk, and they've just come out with edition, the second edition of that that is available. There's a lot of additional great content and updates that they've put in that book, so that's one that I have on repeat.
Speaker 3:There's another one that a friend of mine put me on to recently called Thinking in Bets, and this is by a lady named Annie Duke. It is not an IT book, it is a book about probability and about uncertainty and about decision science and making decisions under uncertainty. So it's a great auxiliary book to have and a voice I try to have Annie's voice in my head. Another one that's great, and I've consumed this one three or four times and I'm still contemplating how this ties in. I know there's something to be mined here and gleaned, but I'm still working on it.
Speaker 3:And it is by a man named Nasim Taleb and it's called Anti-Fragile. It's the, it's kind of the end of a series of books where you may have heard the term Black Swan I believe he introduced that term, and this is the maturing of those series of books, and Anti-Fragile is something that needs to be revisited and discussed. And then two more, since you asked. These are ones I listened to again and again. Tedlach and Gardner put out one called Super Forecasting, and then, of course, Daniel Kahneman has one a classic called Thinking Fast and Slow. So those would be on speed dial for my audiobooks. I wish there was one for the Jack Jones book Measuring and Managing Information Risk. Maybe I've threatened to read it to myself so I can have one like that, or maybe I'll get an AI to read it to me.
Speaker 2:Oh, there you go. Whichful thinking there.
Speaker 3:There you go.
Speaker 1:And now moving steadily along to current projects that you may have. How do you balance your current role, or even projects, for that matter, with your ongoing commitment to learning growth? Now, I know we've just spoken recently about you know lifelong learning, but how do you balance current projects that you have, but also, on the side, continuing to learn to grow, with other pursuits that you may do as well?
Speaker 3:Yeah, I think. I think there's two pieces to that. One is daily prioritization. It's what I talked about before. It has to be on the radar every day. It doesn't have to be extreme, doesn't have to be two hours of focused study, but you have to exercise that brain muscle and you have to do that on a daily basis. It has to take its place among your prioritization of your elements during the day.
Speaker 3:And then the other piece of that, the other approach, would be look at what time you're wasting, or that you're not being utilized, or any time that is in your day, that where your brain is idling. Now we do need some idle time and in fact that's something you need to plan out is time for pondering the things that you've learned and letting you know in a quiet space or with some, with some calm music, something to kind of remove you from your environment, and thinking about how can I apply these things. So there is that need, but there's also time that we all have driving in the car, mowing the lawn, you know, commuting, you know all of these things. All of these times can be filled. We have technology that allows us to fill that. I've got my earbuds, I pop them in, and suddenly Annie Duke is lecturing me again. You know, so we can. We can leverage those times, we just have to purposely look for them.
Speaker 1:Would you also say as well, in the notion of time being sacred, in terms of you know how much time you may put into something, how much time you may spend in someone's company, in the sense of that, obviously, like time is a priority right. So obviously, like time that we give to certain things, to certain projects, that can all equate to a certain amount of time overall. So do you think it's important, as you say, like how we, how you may schedule things or how you may prioritize things? Do you think that helps in understanding where you need to be at certain times but also what you have on your plate, as opposed to maybe free flowing in terms of having less of a time structure?
Speaker 3:Yeah, I think for creativity, for me at least. You know I have to have those times that are as that there's, as you mentioned, unstructured in order to be able to do that. But but I have to, I have to be very, very certain and directed about positioning those times and prioritizing them, defending them, protecting them. They might be a block of time it might be a four hour block on a Friday afternoon, for example that you defend vigorously. You defend it so that you can have that time to be unstructured and to be creative.
Speaker 1:Would you say, reflection is important there as well, in terms of, you know, reflecting in certain moments, so giving the time to reflect on how certain projects have gone, how certain meetings have gone, so do you think that's also important as well, so being a bit more conscious, you know, on that part as well, absolutely.
Speaker 3:Absolutely. I think you know, from a, from a project management perspective, you always want to do the retrospective, you want to do the. You know what went well, what didn't go so well. From a project perspective, if you have a meeting that's, you know, kind of groundbreaking in a good way or in a bad way, it's also, it's also very good to put set aside some time to think deeply about that. What went well, what could I cultivate or foster, or what went wrong? Yes, how could I prevent that in the future? What lessons could I learn from that? If it was a, you know, if you came away from that meeting being very distraught or you know that was not a very successful meeting, you have bad feelings about it. It's certainly important to do that.
Speaker 3:I wouldn't recommend doing it across every meeting but I think there are some where where that would be, it would yield a benefit to you. Yeah, again that unstructured type of thinking. You almost have to put a hard shell around that. That's soft and chewy and you have to have that hard shell of. I have this block of time. Nobody messes with me during this block of time. Yes, thank you.
Speaker 2:And how often do you find yourself giving yourself that block of time now?
Speaker 3:Well, I think at least, at least weekly. I have a reasonably large block of time that I have to allow myself to do that.
Speaker 2:Okay, and John, you know after our conversation here today and I know you just recently presented at the Open Group Summit, but you seem like a really strong presenter. Have you always been a strong presenter?
Speaker 3:No, I have not. So getting comfortable in front of crowds is something where you know there's not a shortcut to that. You just look for opportunities and you throw yourself into the water over and over and over again and after a little while you learn to swim. I think that's been my track.
Speaker 2:Basically, you would just say you were trading comfort in order for you to grow within your presentation skills to be where you are today.
Speaker 3:Absolutely.
Speaker 3:And you know the unstructured time to contemplate what has happened I think is an important element of that growth factor.
Speaker 3:You know, in speaking in an engagement, then taking that time to say what went well, what didn't go well, having some goals as you go into that meeting, you know I like, for example, you mentioned my recent presentation at the Open Group Summit in Houston. That was a very diverse set of audience attendees. Some of them, you know, were around for the inception of the Open Fair standard and guided that standard through all of its permutations to final publication, and some folks were just coming in to try to figure out what this risk quantification thing was. And so you have that wide breadth of folks and my goal in overarching goal was to give each one of those groups something to take away, something of value, a piece of value that they could take away. And so that kind of overarching goal kind of framed how I laid out my slides and the approach, and it was also you have other constraints, so this was a 30 minute session, so that actually upped the constraints a little bit and so we needed to, you know, plan accordingly.
Speaker 1:Thank you. Now, before we end, we'd like to start a short, quick fire round of questions. So the first question is if you could invite anyone from the past or present to dinner, who would they be? And they can be a celebrity as well, if you'd like.
Speaker 3:Anyone from the past and the present to dinner. I think I would like to sit down with Jack Jones and Doug Hubbard.
Speaker 1:And what profession were these particular individuals in?
Speaker 3:Yes, Well, jack Jones was the author of Measuring and Managing Information Risk and he kind of kicked off the idea of fair, the concept of fair. That was then codified by the open group as open fair. And of course Doug Hubbard you know released and Richard Seyerson they released the book how to Measure Anything in Cybersecurity Risk and also another series. There's a whole series of books behind that and that was just, you know, ground shaking in the industry and I would love to sit down and just listen to them.
Speaker 1:And would there be any specific questions that you know you would like to ask them or would ask them?
Speaker 3:You know, there's actually. There's actually some things I've been thinking about fair and this may go off in a different tangent, if I have permission to go and do there If I have permission to go there, you know, one of the things I love about fair itself and this is for those who may not be, for, just excuse me, let me start over For those who may just be you know tuning into fair and figuring out what fair is. This is the factor analysis of information risk. It's the standard by which, then, we quantify cyber risk in an organized, structured fashion under the open groups standard open fair. And one of the things I love about fair is that it's a framework for critical decomposition. It gives us permission to be uncertain and it allows us to embrace that uncertainty.
Speaker 3:You know I mentioned Jack Jones as the person I would invite to dinner. He has a quote in his book it's one of my favorite quotes and, if you don't mind, I'll just share it with you right now about FAIR, and I think this is key for us to remember. He says we need to point out that, even though FAIR provides a great framework for doing quantitative risk analysis, we use FAIR every day in non-quantitative ways, in fact, probably more than 95% of our use of FAIR doesn't involve hurt distributions, monte Carlo functions, graphs, charts or tables. Fair is nomenclature. It is a set of models and a framework for thinking through complex scenarios clearly and confidently, and it's a way to explain how you came to your conclusions. None of that requires numbers or tools, but when you want or need to use those numbers, it does that too, and I think that's a great summary of the application of FAIR. And if I were to able to sit down and talk with them, I've been kind of contemplating where FAIR has come and where it needs to go. And we've kind of seen FAIR since I believe Jack's book came out, 2014 or so, and we've seen this birthing phase, if you will, of FAIR, the establishment of legitimacy and this working towards achieving critical mass. This year and I know John Linford was there as well this year at FAIRCon with the FAIR Institute and this year, at the annual FAIRCon and this year's FAIRCon, there were actually folks from the federal government, folks from the SEC chief SEC enforcement agent. They were all on stage and speaking about FAIR.
Speaker 3:I think we've achieved that critical mass now and what needs to happen next is what I call the democratization of FAIR. So FAIR is that framework for critical thinking. But if we're going to democratize that, if we're going to make it available to the masses, if you will we've got to do two things. I think We've got to look across the aisle and reach out across the aisle, as they say here in the United States. Reach out across the aisle to the camps that are still doing the qualitative risk analysis versus this quantitative piece that we're talking about. And the other way we can democratize FAIR is through data. So FAIR does require data. It is that critical thinking framework that Jack talks about.
Speaker 3:But when it's time to pull out the calculator, then it's time to bring data to the table. And you can kind of think of a data resolution knob where you would turn that up in grades and only up until it's fit for the purpose of the decision that you're trying to inform. And we see that data coming in now, with industry data, there's advise and data that's available. The Sientia Institute is launching some things that are very exciting with regards to data feeds, and the reason these things can come together is because of the Open Group's Open FAIR standard. Because it is that standard, so it provides that common language, that common taxonomy. But then we need to ramp that up into some automated data telemetry, from a client environment, for example, and then we can ramp it up even a little bit more with harvested data telemetry that a client might be able to, or a company, a user of this, might be able to glean from logs and types of records, interviews with their HR department and so forth, their legal department. And then the last line of data there, I would think, would be calibrated estimates from subject matter experts. And so as we bring all these data elements to the table in an increasingly automated, increasingly accessible manner, I think it's going to tie in with that critical mass that we're achieving with FAIR, but then also that democratization where many, many, many folks can begin to use it as well.
Speaker 3:I kind of think of in recording, ash you're, you're in recording, in the recording business and and so forth in in. You know, I deal some with sound gear myself and there's a thing also it they do this with uh, with computers and networking, but there's a thing called a patch bay, uh, where you've got little short cables and you can patch from one channel to another channel and and I think there needs to be some sort of standardized patch bay for these types of data telemetry inputs. And the exciting thing about fair is that it provides that common taxonomy and that common language, that common understanding and framework to allow things like that to develop. Um, so that's really what I would, what I would want to discuss at the dinner that you propose. Um, I think there's a lot to be done. You know, in reaching across the aisle, I would probably bring a couple of folks along from that other camp, that qualitative camp, because I would want to hear their viewpoint as well.
Speaker 1:Thank you, and what hobbies have you taken up recently that you are enjoying?
Speaker 3:Oh well, uh, you know I mentioned earlier that we had, uh, we had purchased a small acreage farm about a decade ago and uh, so I think, caring for the, uh, caring for the variety of animals that we have here, uh, we have occasionally bring in some wild mustangs and uh, and work with them and gentle them, train them, uh, but I also have, you know, many animals that, like chicks, that I raise from eggs, and you know, so that's uh, I've got several guardian dogs, uh, that I'm pretty keen on, uh, so it's it's probably walking away from my desk, being outside, uh, in nature and uh, and having, you know, my, my animals there to care for.
Speaker 2:Sounds like a great time to use your free time and get away. Like you said, that time for you to um step away and just have that unfiltered thinking and just think about whatever you need to.
Speaker 3:Absolutely, and you don't have to have a farm to do that. You can go down to a, to the neighborhood park, uh, but just take that effort to get away, stand up, step away from you know we're we're also tied to our workstations now in this environment. So it's a it's a good discipline to step away multiple times a day. Multiple shorter times is better than oh, I'll do that in an hour. Uh, you know, I'll do an hour of that later on this evening. Just do multiple breaks.
Speaker 1:Thank you, john, for joining our show. It's been great having you on and discussing not only your journey, but you know how you're so passionate about cybersecurity and more, and it's been really nice chatting to you today. So thank you so much, and we would also like to say a big thank you to our listeners, the open comments community, who have been tuning into the podcast. We've really been enjoying bringing different topics into the fold for you, along with a vast variety of subject matter experts. Please stay tuned for the next episode coming soon. Thank you, stay safe.