Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Why don't risk management programs work?

John Dix | May 20, 2013
Two experts on the recent RSA conference discusses why risk management programs don't tend to work.

What that means is a great question. And an exciting one.

Jones: I couldn't agree more with Alex's statement about this being an exciting time for those in our industry who are focused on the risk perspective. We have the opportunity to break new ground -- establish a new science, if you will. What could be more fun than that? There's still so much to figure out! 

Of course, there are significant challenges too, some of which we've talked about or alluded to here already. For example, you'd better come to the table with thick skin because people are going to be sniping at you constantly. You'll be challenging conventional "wisdom" and the status quo, and that makes you a target. You'd also better be comfortable with being proven wrong because, well, sometimes you will be. 

The upside is significant, though. The industry seems to be firmly headed toward an adoption of risk, particularly quantitative statements of risk. So if someone wants to be well-positioned for jobs and promotions in the future, and/or if you want to put your stamp on the next generation of information risk management, then this is a great time. 

And those who are concerned that maybe they don't have a strong enough math background for this stuff, rest easy. Math isn't the challenge. What you do need are critical thinking skills -- the ability to think beyond the superficial veneer of current practices. This requires a willingness to look at what the industry (and sometimes you, yourself) have been doing for years and realize it doesn't make any sense. Sometimes it's been embarrassingly wrong. Challenge, continually challenge, "best practices."

Hutton: Let me end with this: the key to success in security and risk for the foreseeable future is going to be data science. In fact, in my opinion, all the hype around "Big Data" is sorely misplaced. Let me explain. For the past 20 years we've focused on the existence of the control over the skillful operation of a series of controls. We've become a culture of "installers" and, to whit, we've built a false religion about how our controls "protect" us at the expense of really understanding how they "inform" us. 

It's worth noting that our approach to the concept of compliance feeds this culture, our approach to creating standards feeds this culture, our approach to audit feeds this culture... we have multiple perverse incentives that cause us to not focus on that which has demonstrably been shown to secure (skilfull operations). The good news is that one thing that can change this culture is a move towards data centric or evidence-based risk management approach.

 

Previous Page  1  2  3  4  5  6  Next Page 

Sign up for CIO Asia eNewsletters.