The value of risk management to the organisation

Most businesses, most boards, don’t spend a lot of time thinking about uncertainty. In fact, they are terrified of doing so. The quote is from a good article in Strategic Risk Global about the value of risk management and why many risk managers can’t seem to make a difference in the perception of what they do for the organisation. [T]o create a more effective relationship between the risk function and the board, risk managers must stand up and show their bosses that they are not mere insurance buyers, as some senior leaders perceive them to be.

Complex topic? Dumb it down and everyone loses.

It must be just me, but every time there’s a need to present a complex topic to the executives or business leadership (topic for another musing, methinks) I get the typical looks of “oh no, he’s going to get all lectury again”. And it’s true, I prefer to present complex topics as complex, even if the style of presentation makes them approachable. There’s no way to dumb down something that’s complex without: also sending the message that sure, they may be leaders of the organisation, people that we entrust to make the right decisions, but hey, let’s not try to present them something that’s not so simple that a 5th grader could solve or they’re end up in foetal position on the floor begging to make it go away; quite decidedly making the whole organisation poorer for the experience and less equipped to make the right calls because we, the experts, decided that only we should hold the knowledge; and actually making ourselves poorer for the experience, because when we start dumbing down, as opposed to making approachable, complex topics we also deny ourselves the opportunity to challenge our own knowledge of the topic.

Risk Appetite Redux

In the “Risk, risk everywhere and not an appetite for it” post I proposed the following spur-of-the-moment-inspiration-through-significant-dose-of-caffeine definitions for risk appetite and risk tolerance: “Risk appetite: This is your general, high level expression of what you are, or aren’t willing to risk in order to reach your goal. Get your goodies. Join the dark side to get your hot little hands on their cookies. Whatever it is that your long term goal is. An example of a risk appetite would be: I’m happy to risk 10% of everything I have in order to get at least 20% profit.

It's the utility, stupid!

"Managers who are isolated from the intelligence customer tend to monitor the quantity of reports produced and level of polish in intelligence products, but not the utility of the intelligence itself."[1] This sounds equally true if you replace “intelligence” with risk. [1] Jack Davis, The Challenge of Opportunity Analysis

Shrill voices never help in a crisis, but they are the first to be heard

Ever since Stuxnet thundered on the global scene in the second half of 2010 the world has been awash with fresh doses of FUD. Slowly but surely calmer and more pragmatic heads are prevailing: Stuxnet: It’s a real threat, but not something we should shovel money at - By Tom Ricks | The Best Defense The correct response to Stuxnet is to acknowledge the risks of cyber war, but be discerning in our reaction. We must separate the sensational from the legitimate, and only invest in valid and practical strategies.

Asymmetric warfare? Asymmetric definitely. Warfare? Too Early.

So we have A person, believed to be a man, entered the “sterile” area of the terminal at about 9:30am today via the exit doors from the baggage collection area. … [T]he man was spotted on closed circuit TV entering through the exit but security staff watching monitors lost track of him once inside the terminal. Thousands of people are now being cleared out of the terminal to be rescreened by security. … The breach exposes a gap in the terminal’s security for which Qantas is responsible, as there is no security officers permanently stationed at the “out” doors to watch passenger movements.

Zealots, of all shapes and sizes only preach to the converted

I have been an unwilling participant in a number of “do this and your [life|career|…] will change dramatically!” Often we call that a “sales pitch” and dismiss the message and the messenger outright. IT is very good at dismissing others’ “sales pitches” and, like all good zealots, completely ignorant of its own. One thing that is common to all is their fervent belief in what they’re telling you and their sincere wish to help you achieve your goal AS THEY SEE IT.

Risks, vulnerabilities and threats

Pete Lindstrom points back to Robert Graham, who originally posted his well-reasoned thoughts on that old topic, full disclosure. Rudeness, risk and vulnerability disclosure But there is another more important aspect to security research that gets ignored quite frequently – risk. I believe that if not all, then almost all “whitehat” security researchers are focused on the vulnerability part of the risk equation in their attempts to reduce risk. But the ultimate consequences, in the form of compromises, is largely overlooked.