Risk management is an area that has probably confused more people in infosec than any other. There are lots of good examples of how not to do risk management, and the financial world remains one of the best sources of how to and how not to plan and implement risk management strategies. What makes the financial world a good lab environment is that there is a widely agreed upon success criteria.
Of course in infosec we have the seductive details problem of overfocusing on seductive details, where the seductive details are the "movie plot" threats. Telling the story of threats is a well worn tactic and usually can be counted on to get more funding for infosec groups, but does it provide a good use of security dollars? What usually happens is chasing the taillights exercise, not overall quality of protection and resiliency improvements.
People are easily seduced by uncertainty and spend money to try to reduce, but this is in general a futile exercise. Its proven to be much more effective to focus on reducing risk - playing defense. Here is my favorite line from the Berkshire Hathaway annual letter, emphasis added
How well does this approach - adjusting for downside risk first - work overall you might ask? The answer is - its working rather well.First, we have never had any five-year period beginning with 1965-69 and ending with 2005-09 – and there have been 41 of these – during which our gain in book value did not exceed the S&P’s gain. Second, though we have lagged the S&P in some years that were positive for the market, we have consistently done better than the S&P in the eleven years during which it delivered negative results. In other words, our defense has been better than our offense, and that’s likely to continue.
There are many risk management exercises that try to define uncertainty and volatility, but its better to take a conservative approach that builds a margin of safety in from the get go. From infosec standpoint, when building something for your enterprise - what's your defensive architecture, design, coding, and testing?
Comments