One of the key themes at RSA 2012 this year (yeah, you thought RSA posts were done, huh?) was “risk management.” Well, before RSA this year, Jeff Lowder posted this article on the Society of Information Risk Analysts blog. While the post was made by Mr. Lowder, the content is Mr. Hubbard’s. The idea behind the post is to “differentiate between subject matter expertise and expertise in risk management.”
I am confident that many seasoned security professionals would read that post and say one of two things: 1) The level of risk analysis Mr. Hubbard describes is too much, or 2) he’s offsides for suggesting that an SME wouldn’t understand risk in their domain (the audacity of that man!). I have a different perspective: It’s about time someone put it in writing.
Mr. Hubbard is, in fact, correct. Insurance companies have known this for a very long time. We can bring in a lot of people in from the automobile industry, but it takes the actuaries in insurance companies to come up with insurance rates – that game is entirely about getting the risk right.
In many ways, the maturity of an industry might be measured, in part, by the way it measures risk. Or, you can simply look at the importance of the domain and the circumstances to determine whether a basic discussion of risk is assumed or detailed risks need to be calculated (this would be the “risk assessment” part, yes?).
While I think Mr. Hubbard may have been harsh on some of the existing information security frameworks in use today (in particular ISO 27005 – it’s really only as effective as the implementing organization makes it), a particular sentence inspired me to get around to posting this someday (I guess that day has come):
The name “SIRA” indicates this group should be a cross section of these two knowledge areas – information security and risk analysis. Both are important and neither is sufficient.
I added the emphasis. When your organization seeks to embark on a risk management crusade, recognizing this point is critical. Information risk management needs information security and it needs risk analysis, both of which are different disciplines.
This is something I did not witness at RSA. Maybe I wasn’t in the right sessions or running in the right circles, but most of the “get risk now!” types of things I saw said very little about the discipline of truly analyzing risk. Instead, I saw a lot of hype about a new perspective (but, we should all know this perspective isn’t new).
Finally, and I speak for myself here, if you’re not aware of SIRA, head over to their site and look around. It’s a great group of opinionated, passionate people engaging in true discourse (ok, most of the time it’s discourse, sometimes it’s just bickering like cryptographers). Who knows, maybe next time I’ll post a summary of the spirited discussion we had on the SIRA list resulting from an assertion a friend of mine made: Security and compliance are two sides of the risk management coin. That was a lively discussion (again, mostly discourse).