The bad news is there is tremendous inertia to overcome, especially since the infosec profession is not the only risk discipline that doesn't fundamentally "get" risk. This presents a challenge because I commonly hear people say that, "Risk has been dealt with for a long time, so we should just do what other disciplines have done."
Great idea, in theory. But we have to be very careful about how much faith we put into existing risk models, particularly operational risk models. Some of the widely used stuff out there is laughable when it's put under a magnifying glass. I'd be curious about whether Alex has had the same observations.
A final point I'll make is that every infosec program is a risk program, whether we choose to recognize it and treat it that way or not because, at the end of the day, the only value proposition infosec policies, processes and technologies have is their effect on an organization's loss exposure -- the frequency and magnitude of loss.
The problem is, as an industry we don't commonly put it in those terms and we haven't been measuring, managing, and expressing it in those terms. As a result, the policies, processes, and technologies that we use are not well understood in terms of their effect on that value proposition, which means that the cost-effectiveness of most infosec/risk programs is a crapshoot. Do you agree, Alex?
Hutton: Regarding Jack's question if I agree that we have to be careful about how much faith we put into existing risk models, I would say it depends <grin>. Uncertainty is hard regardless of discipline. What I have found is that some disciplines, in theory at least, have a more rational approach to how they try to understand that uncertainty than others. Some are very scientific, others not so much. The message I've been stumping for the past few years is that our industry should be very pro-science.
Now, "How to be pro-science?" "What does it mean to be pro-science as an industry?" There aren't easy answers to these questions. And we shouldn't expect "easy." The search for truth, the search for knowledge and meaning... these quests are rarely simple or easy.
But yes, I look at much of what is called "risk management" and laugh because the only other alternative is to weep.As to Jack's other question about whether I agree with the notion that the cost effectiveness of most infosec/risk programs is a crapshoot, yes, absolutely. But more than that, I think there has been forming for some time a question about what the role of a risk management program is. This formalization has been very control-focused, thanks in no small part to the "GRC" meme. But if you take the mindset that governance should be driven by metrics, that *all* metrics (governance, performance, etc.) have some risk meaning (even if we don't have a model that directly accounts for it yet), then it may be time to remove the control focus and switch to a data-science focus.
Sign up for CIO Asia eNewsletters.