Why Risk Management is Like Eating Lettuce
On Sundays it’s a British tradition to wake up with a hangover, get a copy of the Sunday Times and watch the morning politics shows on the beeb. This Sunday past was traditional for me. Data breaches and privacy are hot political topics in the UK after the national fiasco overseen by Alistair Darling. I do feel a sarcastic letter coming on “Dear Mr. Darling, your name is such an Irony” but I will leave that for Wine’O'Clock sometime. The last but few national fiascos was this;
Rumours on the grid are that the doppy bastard forgot to send the disk, lied to his boss to cover his tracks and within days a storm in a tea-cup was well and truly the size of Amy Winehouse’s drug habit. The police are looking for the man in the photo. The MOD then lost records of 600,000 people who were interested in becoming canon fodder in the middle east and now to to pit all the national institution Marks and Spencer’s has fallen victim. For my American friends M&S is where everyones granny buys their knickers and slippers but has always sold fantastic food. The “Gastro Pub Steak and Ale Pie” and the “Goan Prawn Curry” are my current favourites.
All of a sudden experts (pronounced “ex” as in past and “spurt” as in drip) offer an array of advice on the TV about how to secure data and how simple it is to take basic measures. It’s a media frenzy and I plan to keep my head right down for fear the industry will accelerate into FUD Factor 4 and people thing I am part of it.
I am however pleased to say we have may have now turned a corner and data loss may no longer in vogue.
It is being replaced by RISK MANAGEMENT.
Yes it seems the UK tax authority have recommended that thousands of high profile people should not submit their tax returns online. This has caused up roar among some who think everyone should be treated the same. Consumer groups are complaining and security experts I have never heard of are crawling from the woodwork to claim their 15 mins of fame.
It’s bloody common sense. Is basic risk management. People with a higher profile or with more money will be at a greater risk and so appropriate controls should be applied. If that means pulling the plug (it seems extreme but but so be it), get over yourselves. The decision clearly doesn’t mean that Stan the milkman from Wolverhampton shouldn’t be “safe enough”. News Flash: Very few businesses are in business to be secure, they are in business to be secure enough. Few people live to be secure, they want to be secure enough. We are all different. That’s what makes the world go around don’t you know.
This does however bring me to the salacious title of this blog post. It’s hard for anyone to disagree that Risk Management is the holy grail of information security. The challenge has always been and always will be bridging common real life scenarios to security controls via the discipline of risk management. We have all seen or heard about risk assessments that everyone agrees with but are effectively useless academic exercises because the analyst couldn’t tie the findings to consequences and actions.And so to my point, Risk Management is like eating lettuce. Until my wife comes up with a tangible formula such as “eat 5 leaves a day and your blood pressure will improve by 2% and you will loose 2 lbs in 4 weeks” I am happy to acknowledge that lettuce is probably good for you and it makes sense to eat it but I will still continue to pick it out of my sandwiches whenever I find it.
Note: There are some interesting frameworks evolving like FAIR that are attempting to bridge the gap.
January 30, 2008 at 7:49 pm
[...] the organization. So when we talk about failures in current approaches to risk management – Curphey is right. To decision makers, discreet risk issues can be seen to be simply a lot of lettuce. They know [...]
January 30, 2008 at 8:34 pm
If you want to skip lettuce I think you’ll be fine… iceberg lettuce (what most people normally think of, and what comes on most sandwiches stateside) has almost no nutritional content to go along with nearly no calories.
if you ate lettuce in place of other food, yeah, you’d probably see an improvement in your numbers. But adding lettuce to your existing eating won’t likely have any effect.
January 30, 2008 at 10:17 pm
You missed the obligatory Blackadder reference…
January 30, 2008 at 10:49 pm
” Rumours on the grid are that the doppy bastard forgot to send the disk, lied to his boss to cover his tracks and within days a storm in a tea-cup was well and truly the size of Amy Winehouse’s drug habit.”
I think this happens more than most would be comfortable thinking about. Employee screws something up, claims someone else must have taken it or it got lost by someone else, brush under rug. Until laws or society require the disclosure…oops.
Or the internal swiping of company property. “IT hasn’t checked my external hard drive in years, I think I’ll just take it home. Oops, they stopped by yesterday for an inventory audit, so I gave an omigosh doe-eyed, innocent gasp and have no idea where it went! Shit, it potentially had 2 million pieces of PI! Dodge, dodge, stick to your guns, admit no wrong!! Better the company get in trouble and spend millions than me get slapped on the wrist!”
February 1, 2008 at 12:05 pm
You do realise that when government and the public interact it isn’t about risk management, it’s all about being fair and equitable.
Where I live, there was a health issue where the govt most likely did a risk assessment and didn’t teat everyone the same. There was an outcry that some people were more equal than others and received the treatment in question. The public just does NOT care about risk or cost….if the Jones’ get something so should I!!!
June 1, 2009 at 7:45 pm
i will like to eat that up