Archive for October 2009

Is risk management getting too ‘mechanized’?

October 8, 2009

I was at a recent meeting we hosted for leading South African CISOs in Johannesburg. We were discussing the pros and cons of risk quantification models when one of the participants said: “I worry that attempting to quantify risks is leading us to ignore sound judgment as a decision-making tool. We believe more in the number that the system spits out rather than the instinct and advice of individuals who understand the terrain and the business context.”

Quantifying information risk and producing a single number for residual risk levels at a company is considered the holy grail for information risk professionals worldwide. It is considered an essential tool to systematize the ever-changing world of information risks. This CISO was arguing for “a return of judgment” in risk decision-making.

Interestingly enough, the latest (October 2009) issue of the Harvard Business Review (login required) makes a similar argument in its ‘Spotlight on Risk’ Issue. In an article titled “The Six Mistakes Executive Make in Risk Management”, the authors argue that
“Instead of trying to anticipate low-probability, high-impact events, we should reduce our vulnerability to them. Risk management, we believe, should be about lessening the impact of what we don’t understand – not a futile attempt to develop sophisticated techniques and stories that perpetuate our illusions of being able to understand and predict the social and economic environment.”

The fundamental questions that Information Risk professionals need to answer are:
– Where and how do quantification models help?
– How can use them to supplement sound judgment (and not substitute for it)?
– How can we help our team members get a better understanding of the business context they operate in to help them make the right decisions?

In IREC, we have taken the view that CISOs have a better shot at understanding their controls environment and plug obvious gaps in their controls portfolio than invest time and effort in building out sophisticated risk models. In other words, how do we reduce our vulnerability to high impact events by strengthening our controls.

Some would say that it is only pragmatic given that most companies don’t have good actuarial data on threats, loss events and the like. Others would consider it is heretical that Information Risk professionals are calling into question the very need for risk quantification. What is your view?


Happy National Cybersecurity Awareness Month!!

October 2, 2009

October is National Cybersecurity Awareness Month in the US (read the full White House press release here)

Excerpting from the press release, President Obama says : “I call upon the people of the United States to recognize the importance of cybersecurity and to observe this month with appropriate activities, events, and trainings to enhance our national security and resilience.”

Looks like CISOs are jumping on the bandwagon too by leveraging the press/buzz this receives to drive security awareness at their respective organizations. From a recent thread in one of IREC’s discussion forums, we heard a variety of events CISOs are planning at their companies:
– Declaring a “Cybersecurity Day’ in October featuring an external expert speaker
– Interviews with company leaders on importance of cyber/information security that will be broadcast globally
– Tentcards in cafeterias and Cybersecurity awareness bookmarks
– Encouraging employees to complete the online security training module in October

In the age of information overload and flat budgets (the average company spends 2% of its security budget on employee awareness and training), it is very hard to get employees’ attention to matters such as secure behavior. I’m glad that the US Government drawing attention to this matter will provide a much-needed ‘hook’ for CISOs to draw attention to security in their companies.