Comments on: Risk Management is a Utopian Kool-aid http://chaordicmind.com/blog/2009/05/05/risk-management-is-a-utopian-kool-aid/ Mixing childlike wonder with adultlike understanding Thu, 09 Feb 2012 14:50:58 +0000 hourly 1 http://wordpress.org/?v= By: Chris Hayes http://chaordicmind.com/blog/2009/05/05/risk-management-is-a-utopian-kool-aid/comment-page-1/#comment-7 Chris Hayes Wed, 13 May 2009 11:13:49 +0000 http://chaordicmind.com/blog/?p=5#comment-7 Interesting thoughts here and both of you have touched on a topic that I would like to blog based on some recent work I have been doing. I think it is possible to talk about risk in both the context of a scalpel and meat cleaver – in the same conversation. Those in the actuarial profession have been doing this for years. In addition, given the fact that more and more companies are trying to manage operational risk better (which a lot categorize information security risk as operational risk) – being able to articulate to management what they should invest or set aside now and why is very important. Interesting thoughts here and both of you have touched on a topic that I would like to blog based on some recent work I have been doing. I think it is possible to talk about risk in both the context of a scalpel and meat cleaver – in the same conversation. Those in the actuarial profession have been doing this for years. In addition, given the fact that more and more companies are trying to manage operational risk better (which a lot categorize information security risk as operational risk) – being able to articulate to management what they should invest or set aside now and why is very important.

]]> By: Ben http://chaordicmind.com/blog/2009/05/05/risk-management-is-a-utopian-kool-aid/comment-page-1/#comment-5 Ben Tue, 05 May 2009 22:25:09 +0000 http://chaordicmind.com/blog/?p=5#comment-5 <a href="#comment-4" rel="nofollow">@admin</a> I've long been a fan of OCTAVE from SEI/CERT (http://www.cert.org/octave/) because it does what you're talking about. It puts the business heads in a room, walks them through a reasonable process, and in the end produces a strategic risk-based approach to managing the organization. Unfortunately, very few organizations seem to value this approach, which is really too bad. Where I think your comments bear tempering is with regards to the amount of data we need. I think our friends from RMI would point out that in the world of Bayes, we don't need a whole lot of data. Hence, FAIR makes for nice risk measurement. Combine this with your favorite CMM and off you go. :) All this being said, I think we agree that the model is broken; that we need a new way of thinking. People simply do not get tech risk n the same way that they get physical risk. And, even then, we see disproportionate focus on low probability events instead of the high probability events. :S @admin
I’ve long been a fan of OCTAVE from SEI/CERT (http://www.cert.org/octave/) because it does what you’re talking about. It puts the business heads in a room, walks them through a reasonable process, and in the end produces a strategic risk-based approach to managing the organization. Unfortunately, very few organizations seem to value this approach, which is really too bad.

Where I think your comments bear tempering is with regards to the amount of data we need. I think our friends from RMI would point out that in the world of Bayes, we don’t need a whole lot of data. Hence, FAIR makes for nice risk measurement. Combine this with your favorite CMM and off you go. :)

All this being said, I think we agree that the model is broken; that we need a new way of thinking. People simply do not get tech risk n the same way that they get physical risk. And, even then, we see disproportionate focus on low probability events instead of the high probability events. :S

]]> By: admin http://chaordicmind.com/blog/2009/05/05/risk-management-is-a-utopian-kool-aid/comment-page-1/#comment-4 admin Tue, 05 May 2009 21:54:29 +0000 http://chaordicmind.com/blog/?p=5#comment-4 Ben, we ended up <a href="http://www.secureconsulting.net/2009/05/controlling_the_bacon_fever_fr.html" rel="nofollow">blogging about a similar topic</a> and I didn't even know it. I am certainly not saying that Risk Management is bunk. I'm a *strong* believer in RM and the CMM discussed in the post. I just think we need to alter our perception of RM from that of a scalpel to that of a beef cleaver. We always want the best for out people but end up facing the world of emotion and irrational thought. What is it that goes into our metrics? When we ask someone, "what application is the most critical to your business?" many say E-Mail! Though it may be important, I'd rather say the systems that keep the cash flowing are more important. I agree that we need to guide people in the right direction, but what is that right direction? With different business units touting different needs for a very limited number of resources, who is to say what the "right" direction is? I'd love to live in a world where we all have infinate volumes of information at an infinate level of understanding, but we do not. So, just like many CEOs, we must make decisions based on the info we have at hand and our go with what the data and our gut tell us. Sadly, this is not a perfect approach. I advocate for better data, better information, and better guidance for the masses so they can make better risk based decisions. As for the PCI DSS, you know I feel that it is *one* good approach, but I also feel there are many others. If a company has a sound risk management method that focuses on the protecting against the electronic and paper theft of payment card data, they are fulfilling the spirit of the standard. The path to this goal may come in many forms. Ben, we ended up blogging about a similar topic and I didn’t even know it.

I am certainly not saying that Risk Management is bunk. I’m a *strong* believer in RM and the CMM discussed in the post. I just think we need to alter our perception of RM from that of a scalpel to that of a beef cleaver. We always want the best for out people but end up facing the world of emotion and irrational thought.

What is it that goes into our metrics? When we ask someone, “what application is the most critical to your business?” many say E-Mail! Though it may be important, I’d rather say the systems that keep the cash flowing are more important. I agree that we need to guide people in the right direction, but what is that right direction? With different business units touting different needs for a very limited number of resources, who is to say what the “right” direction is?

I’d love to live in a world where we all have infinate volumes of information at an infinate level of understanding, but we do not. So, just like many CEOs, we must make decisions based on the info we have at hand and our go with what the data and our gut tell us. Sadly, this is not a perfect approach.

I advocate for better data, better information, and better guidance for the masses so they can make better risk based decisions.

As for the PCI DSS, you know I feel that it is *one* good approach, but I also feel there are many others. If a company has a sound risk management method that focuses on the protecting against the electronic and paper theft of payment card data, they are fulfilling the spirit of the standard. The path to this goal may come in many forms.

]]> By: Ben http://chaordicmind.com/blog/2009/05/05/risk-management-is-a-utopian-kool-aid/comment-page-1/#comment-3 Ben Tue, 05 May 2009 19:17:39 +0000 http://chaordicmind.com/blog/?p=5#comment-3 I'm afraid I couldn't disagree more. Just because the average person is disinclined to do the "right thing" doesn't mean that we shouldn't continue working to guide them to that thing. Yes, this implies a certain degree of subjective omnipotence, but I think you said it right in that these things are for the long-term good. In the spirit of your post, however, I'd acquiesce that we need to be doing something different. This is where I find the PCI DSS such an egregious regulation. It doesn't really move us forward toward addressing the long-term issues. In fact, it seems to barely scratch the surface of the short-term issues. Breaches keep happening, and they keep getting bigger - hardly an endorsement for the standard. What we need is a complete shift in thinking, a move to a different model, that accomplishes the long-term goals without using the same old mantras and carrots. I’m afraid I couldn’t disagree more. Just because the average person is disinclined to do the “right thing” doesn’t mean that we shouldn’t continue working to guide them to that thing. Yes, this implies a certain degree of subjective omnipotence, but I think you said it right in that these things are for the long-term good.

In the spirit of your post, however, I’d acquiesce that we need to be doing something different. This is where I find the PCI DSS such an egregious regulation. It doesn’t really move us forward toward addressing the long-term issues. In fact, it seems to barely scratch the surface of the short-term issues. Breaches keep happening, and they keep getting bigger – hardly an endorsement for the standard.

What we need is a complete shift in thinking, a move to a different model, that accomplishes the long-term goals without using the same old mantras and carrots.

]]> By: Andreas Wuchner http://chaordicmind.com/blog/2009/05/05/risk-management-is-a-utopian-kool-aid/comment-page-1/#comment-2 Andreas Wuchner Tue, 05 May 2009 18:27:14 +0000 http://chaordicmind.com/blog/?p=5#comment-2 For me it's about people and processes with 1st priority and then comes technology second. I wrote several articles and a step by step instruction about Risk Management in IT on my blog at http://ITRiskSpace.com Visit and let us know what you think. Enjoy -Andreas For me it’s about people and processes with 1st priority and then comes technology second. I wrote several articles and a step by step instruction about Risk Management in IT on my blog at http://ITRiskSpace.com

Visit and let us know what you think.
Enjoy
-Andreas

]]>