The Discipline of Disciplines

Every one of us today is attempting to move from a less desirable state toward a more desirable one.  We are goal directed whether those goals are ignoble or not matters little.  The farmer, the criminal all seek after something more desirable.  This is true of individual behaviour and corporate action.  Along this path we face scarcity of resources and absolute limits on our time.  Eventually we die.  Because of the foregoing, we make daily trade offs in actions we take and don’t take and we approach our goals systematically.  The fool and the wise both have a process.

So when a business fails to address any number of risks are they behaving irrationally?  Any one with in depth knowledge in any field is tuned into the risks.  The Bundesnachrichtendienst knows more about the threat of terrorism to Berlin, than I.  The top security researchers know just how vulnerable our systems are to directed attack by a highly skilled person. Many security researchers carp endlessly that people “don’t get it”, that they are victims waiting to happen.  As a generalization this is true, but I believe the behaviour is not irrational.  The corporate result may appear irrational but the individual activity is not.  Most people access risks based on some degree of its locality and recent occurrence, for example, if you discovered that several of your neighbors had been mugged you would grow more cautious. There have been sufficient numbers of viruses and exploits that most people have some degree of caution now.  Inside corporations we have policies, practices, frameworks and protocols to address the threats but there always be residual risk.

When I found outstandingly bad practices inside a company, it used to be because of ignorance.  This is not a slur; they didn’t know or understand.  In the last five years it has become increasingly due to limited resources.  I believe this is progress.  The goal of security has always been to build reliable and dependable systems in the face of misadventure, malice, and error.   I would add a secondary goal and that would be to accomplish a better result over time at a lower cost*.

You cannot address all risks so you have to divide them into those that can be measured statistically, and probabilities assigned and those whose statistical profile is not known, for example, a terrorist attack or an earthquake.  For those with known probabilities and losses the approaches are well established. For those that occur infrequently with catastrophic consequences, the best we can do now is build resilient systems and set aside financial reserves.  Time and experience aid us in addressing risk;  we will never be fully protected, the purist and idealist in any field is a cynic in training; the discipline of disciplines is balance.

*This must be done even in the face of ossified regulatory burdens.

The Regulatory Tail and Risk Management Dog

There are a seemingly endless number of information security frameworks available to the practitioner, life cycles to aid in understanding, and policies derived from frameworks.  In many cases the implementation takes place but unless it is an audit item or there exists regulatory compliance requirement, there is very little enforcement.  I have witnessed this in every major corporation I worked with. In most cases this is because of limited knowledge, or limited number of personnel, which is driven by budget priorities.  Renewing the club membership for senior executives is more critical then adding one more person for policy compliance.  I write that without a hint of sarcasm.  If I have a senior marketing executive whose efforts are growing sales, it is money well spent.  Take that away and he may move to a competitor.  Sales and marketing are the apex of the pyramid, everything else is support.

Companies invariably treat various forms of regulatory compliance as a nuisance to be dealt with not as a risk management tool. The correct approach is to do risk management properly and the regulatory compliance will follow. This is well known.  It isn’t done on the whole, however, and many infomation security managers use regulation to push through better practices under the auspices of meeting compliance.  It is ineluctable that regulatory frameworks will become outdated as innovation occurs, and those companies whose regulatory tail wagged the risk managment dog will be more vulnerable than ever.