A Death in the Desert

The often-repeated cliché “The devil you know and the devil you don’t know” is used for taking no action in the face of something new, keeping something you understand and foregoing something that has more uncertainty. The question of staying put or changing is a problem all CEOs and executives contend with.  In my youth a much older and wealthier businessman told me that when you are an innovator and you are first to the well, you get a long drink.  And he was right; he just left out the part that most innovators die in the desert before they reach the well.  On my second death in the desert (with apologies to Robert Browning) I realized that successful enterprises walk quickly over the corpses of innovators and hang around the well having a good drink and speaking admiringly of the recently deceased, whose agonizing path made it all possible.  So the market collectively is always smarter then any one individual innovator and all the guesses of all the participants will eventually show the way (if one exists) and others will copy.

Returning to our original problem of which devil – which we can show more concretely with an enterprise risk management example such as upgrade the enterprise software or stay on the current version – what is one to do?  The answer comes down to access to capital and level of pain.  This may not be so obvious if you have spent your entire career in a large enterprise and take capital for granted.  Innovation fails so often that if you can afford to wait then do so.  Some will say “innovate or die” but that truth does not have a time preference nor does it specify the degree of innovation to survive.   In most cases, it’s years longer than the salesman says and good enough is sufficient if the customer is happy.  How long did it take for the Internet bubble to burst under the weight of bad models?  How long was General Motors able to ignore its customers?  It’s always longer than you think.   Those vendor discounts will lower your perceived risks not your actual risk.  The insider clamoring loudest to be first may only want a bullet on his resume or to see his name in the case study.  The small company with little capital must be more aggressive and as statistics show will fail at a higher rate from which we can all learn.

But if, appealing thence, he cower, avouch
He is mere man, and in humility
Neither may know God nor mistake himself;
I point to the immediate consequence
And say, by such confession straight he falls
Into man’s place, a thing nor God nor beast,
Made to know that he can know and not more:
Lower than God who knows all and can all,
Higher than beasts which know and can so far
As each beast’s limit, perfect to an end,
Nor conscious that they know, nor craving more;
While man knows partly but conceives beside,
Creeps ever on from fancies to the fact,
And in this striving, this converting air
Into a solid he may grasp and use,
Finds progress, man’s distinctive mark alone,
Not God’s, and not the beasts’: God is, they are,
Man partly is and wholly hopes to be.

Excerpted from A Death in the Desert

by Robert Browing

The Regulatory Tail and Risk Management Dog

There are a seemingly endless number of information security frameworks available to the practitioner, life cycles to aid in understanding, and policies derived from frameworks.  In many cases the implementation takes place but unless it is an audit item or there exists regulatory compliance requirement, there is very little enforcement.  I have witnessed this in every major corporation I worked with. In most cases this is because of limited knowledge, or limited number of personnel, which is driven by budget priorities.  Renewing the club membership for senior executives is more critical then adding one more person for policy compliance.  I write that without a hint of sarcasm.  If I have a senior marketing executive whose efforts are growing sales, it is money well spent.  Take that away and he may move to a competitor.  Sales and marketing are the apex of the pyramid, everything else is support.

Companies invariably treat various forms of regulatory compliance as a nuisance to be dealt with not as a risk management tool. The correct approach is to do risk management properly and the regulatory compliance will follow. This is well known.  It isn’t done on the whole, however, and many infomation security managers use regulation to push through better practices under the auspices of meeting compliance.  It is ineluctable that regulatory frameworks will become outdated as innovation occurs, and those companies whose regulatory tail wagged the risk managment dog will be more vulnerable than ever.