Here I sit at the kitchen table at 5:30 in the morning, coffee in hand, writing the first sentence of a blog post I’ve known about for weeks. Yet, I have nothing planned – nothing prepared – so I, in effect, have a “fire” on my hands. I am quick to tell myself that, for longer than I can remember, I’ve been stretching thin supporting R&D, sales, marketing, product,
personal, and family needs. Maybe it’s sleep deprivation. Maybe it’s a social filter that hasn’t yet clicked on, but I admit that I’m really feeling…
Tired. I am tired – for a variety of reasons. I have a lot on my plate. I’m up 18 hours a day. I feel constantly behind (I’m over 230 unread Readability articles). My OmniFocus content is growing like mint in an herb garden. On the plus side, my inbox is empty. Of course, the “action” folder I keep is larger than my Readability list. I feel overwhelmed, and I will burn out if I continue down this path – I know it, my family knows it, and I’m quite certain my employer knows it.
My present state of being, I think, quite accurately reflects the security function of many organizations: Too much is asked of us, or we take on too much (six of one, half dozen of the other?). Like me, security functions are well-intentioned. They mean to do good for the organization. But by lacking focus – by not applying their precious resources where they are most needed, they may do more harm than good. Clearly, what we are doing today is not working, and it is not healthy for the organization or the people staffing the security function. Something has to change.
This is where proponents of Risk Management would typically ride in on their
white horse stallion with the promise of fixing everything (I don’t really believe risk management is evil). “Risk management focuses your efforts,” they say. Just follow the logic of it: If you’re assessing your security risk, you are measuring; if you are measuring, you should be able to prioritize; if you can prioritize, then you should feel comfortable letting some things go. This is a lot like Getting Things Done, which I try to apply. The problem, I think, is that I’m human, and letting go of the lower-priority things never seems to be easy.
Now, I would suggest that most organizations are on the low end of the (notional) risk maturity scale. Certain industries may be ahead of others, but, in general, most organizations do not apply security risk management in any formal (i.e. organizationally sanctioned) manner. Therefore, it could be argued that the promise of security risk management is today only a hypothesis, which means that we simply do not know how well it will work. If we practice security risk management poorly, will we be worse off, experience no meaningful change, or be better off than we are today? Much like my application of an “action” folder, if we practice security risk management, are we just moving work around? To put it mathematically, is security risk management at this point just a null hypothesis in need of testing?
I am curious to hear from our readers: Do you believe in the promise of Risk Management? Please, leave your comments here and let your colleagues know about this post. Tweet it, Like it, +1 it, share it, or reach out to me on Twitter. I am genuinely curious to understand, if not scientifically, how others feel about the promise of risk management.