2.) We don't know how to value a risk and metrics program. There is a Catch22 around ROI. Most people won't invest in risk and metrics until they understand the value (business case). But getting those value statements to make that business case? Well, that requires a strong investment in a risk and metrics program.
3.) Bias. Without strong data and formal methods that are widely identified as useful and successful, the Overconfidence Effect (a serious cognitive bias) is deep and strong. Combined with the stress of our thinning money and time resources, this Overconfidence Effect leads to a generally dismissive attitude toward formalism. In fact, I've seen the Overconfidence Effect happen even when the practitioner has some of the greatest data in the world at their fingertips!
Thus we find ourselves (as an industry) in a similar Catch22 to the above: We don't get the strong formal methods we may all agree we want in order to be data-driven, because we don't believe that we personally need them. But until we recognize that we need them we won't contribute to, and thus receive, their development.
4.) Laziness. Most people want this all handed to them on a plate. If we're realistic with ourselves we all are waiting for some 1U box to come deliver our risk and metrics for us. We don't want to actually work for a rational approach to security. In the meantime, it's much easier to buy a bunch of managed services, 1U appliances, and roll the dice hoping that tomorrow isn't the day we get owned.
Jones: As usual, Alex nails some critical and, in some ways subtle, points. I particularly like his observation that our industry thinks it understands risk. This creates numerous challenges, not the least of which is that I suspect it's much more difficult getting people to shift paradigms than to adopt a net-new paradigm.
So, it seems that "all" we have to do to make infosec risk programs successful is:
- Fix a flawed belief system (or systems)
- Resolve a chicken-vs-egg problem related to metrics
- Compensate for human bias
- Make it simple enough for people who want it handed to them on a platter
Actually, the good news is we're beginning to see more mature approaches to risk, although it feels like painfully slow progress sometimes. There are also methods for dealing with human bias, if people are willing to learn and apply those methods. As for simplicity, it's not as hard as it seems. Some of the difficulty is perception only, and some of the rest can be resolved with time. Of course, I'm skeptical that a 1U box for risk will ever be the end game.
Sign up for CIO Asia eNewsletters.