James Montier talks about the flaws of finance that led to the 2008 crash - bad models, bad incentives and bad behavior.
Jeremy Grantham said that in response to 2008 we would learn a lot in the short term, a little in the mid term and in the long term nothing. That's the historical precedent.
In the last six months we've had the trifecta come back only a few years removed from the staring into the abyss in 2008, here is what's happened since last fall:
1. Rogue trader at UBS losing $4B (and CEO ouster)- bad behavior
2. 40-1 Leverage blowing up MF Global - bad incentive
3. VaR models losing $2 billion for JPM - bad models
The subject of my talk at Secure 360 was on checklists which are essential to make sure we're trying to avoid mistakes. So many people said in the wake of 2008 well the models were not really bad in isolation just people were dumb in how they applied them. One possible answer to this is - so what? If it doesn't work in practice then the answer is not more theory. Another answer is that isolation itself is the problem. It turns out - no, you need to build in process discipline and restraints to avoid mistakes.
We've the same problem in infosec where we need checklists to have the right information in the right person's hand at the right time.
At a minimum, identify the people who have the biggest impact on your security and you should have a checklist for the biggest security influencers:
- The Person Coding Your App
- Your DBA
- Your Testers
- Your Ops team