In the movie Forrest Gump, the main character comments, “life is like a box of chocolates – you never know what you’re gonna get.” I think the same can be said for risk.
I talk with lots of enterprises during my work, and there is a widespread misconception that using “the right risk framework” or “calculating risk correctly” will somehow provide us with the answer to life, the universe, and information security. The problem is risk – and risk tolerance is very personal and highly subjective, so one person’s perfect answer may not satisfy someone else.
From my perspective, when choosing, implementing, and using risk models, the best we can hope to achieve is congruency in our answers – in other words, different people evaluating a risk using a model should come out with similar but not necessarily identical assessments.
Resilience and Context
Ideally, your approach to risk should be resilient so it can help you adapt your responses, priorities and actions in the face of changes in conditions – and things will change. Whether the change is in the threat landscape, your own internal capabilities, or other factors that flavor your perception of and tolerance for risk, you must be adaptive in your approach.
Think of it this way: People investing for retirement often have very different appetites for risk depending on how old they are, how much money they have and what’s going on in the financial markets at any given time. They make come out with similar assessments of the risks and potential returns in the investment landscape, but choose totally different investments based on their own risk tolerance and the context of their individual situations.
The same is true of organizations making decisions about how to respond to information security risk – though this not a “one size fits all” proposition, and you must periodically reevaluate what you’re doing in light of changing circumstances, both yours and those of external forces.
Decisions over Correctness
One of the obstacles I see often are that companies spend too much time trying to get to “the right answer” that mayd elay action or cause them to never come to agreement on which actions to take. This can be fatal – while we stand there deliberating, the threats and attackers just keep on moving on us.
Rather than trying to get to the perfect answer, I would rather see organizations document their assumptions, document the reasons for their decisions and decide on how they will track their performance to see how well they performed. This not only helps guide actions, but it begins to build a base of data to achieve better, faster and more confident evaluation of risks in making security decisions in the future.
The beauty of this approach is that it encourages executive-level cross-functional discussion, which can only be a good thing. After all, risk is like a box of chocolates – you never know what you’re going to get.
Don’t let a lack of “knowing” paralyze your organization.
Image courtesy of ShutterStock