down the blind alley (pdf)

The Future of Risk Management / Where Will Risk Management Go ..?

1 ISSA Interntional Conference Baltimore October 2011

Original title: The Future of Risk Management. This one appeared to be a little bit more

alluring, if at all.

Note that this presentation is Work In Progress for a major part of the content. Please

contribute.



You may or may not see the last bullets of this presentation. Nevertheless I hope to convey

some content.:

Ir = Engineer (MSc, IT), drs = Masters (MBA, finance), RE = Chartered IS auditor (comp

CPA), CISA, CRISC I take it are known

With KPMG: IT audit (Windows NT, Year2000)

With ABN AMRO: Global “IT” Audit; relations mgt, auditing programs/projects, and auditing

outsourcing deals (plus some BCM and governance/compliance stuff), but also Information

component in Security (physical, forensics, integrated sec)

With Noordbeek (boutique consultancy): Again, Information risk audit at various clients (size:

small to DoD), focus on control frameworks, governance, some certifications

With Achmea: IT audit and governance reviews. Hey, my job will end per 31/12/2011 so if you

have an opening…

With NOREA (Dutch charter of IS auditors): Professional Practices Committee, Standards

Committee, Professional Education Committee, Working Group Advisory Services Regulation

With ISSA: (Global) Ethics Committee

Speaker at various conferences, author of list of articles, columns on professional practices

and methodology

[ DISCLAIMER: From here on, when I speak of „you‟, I mean „I‟, too.]

Interrupting questions are welcome – although I may defer answering them to later in the

presentation.

[ DISCLAIMER: Any of this presentation does not ncessarily concur with any official opinion

of my employer. Possibly, quite the contrary. Their bad. ]

[ DISCLAIMER: I nor any close relatives, friends, colleagues, or business relations, have

business interests within arms‟ length than would benefit from this presentation. ]





Information security is mainly about safeguarding the information assets of an organization.

Those assets are a mainstay of total assets.

As we deal more with data, we‟re in the Operational part of organization-wide risk

management.

But there‟s also part of our work that deals with realization of the value embedded in

information. We don‟t do too much with it, usually, as it would make us enter the realm of

business. We should do more about it! But that‟s not the focus of this presentation.

In this presentation, we deal more with risk management per se.



We don‟t learn from history. If at all, we learn from history that we don‟t learn from history.

In come risk managers that want data on allsorts that has happened in the past. Just like

auditors, on a highway into the future with limited sight away from the rearview mirror.

Like the Greek god Janus, we stand in the present and can look both ways. Back into the

dark, with a grimace. Forward into the future, smiling into the bright light. When you see a

light at the end of a tunnel, it may be a train speeding towards you.

The past didn‟t have a train speeding towards us, as we‟re still kind of alive. That bright light

may be so for others, when we have been run over.

So why do we value historic data so much? Why do we want metrics? Do we learn from

history?

Short answer: We don‟t, and even when we want it, we can‟t…

Oh and fraud has a nasty habit of being of all times, we‟ll never be done. Which is a plus, job

contract wise. But higher-ups may disagree when they see no progress.

With all I say after this, remember to CYA, it‟s the least (and maybe most) you can do. Do the

simple (?) stuff and let the organization regain control over risks, that you can achieve.

Plus hopefully learn from what‟s next and help (me) develop better stuff.



We don‟t learn from history. Or history presents itself as something new every time.

Or we don‟t recognise correctly what history turns up in a new guise this time.



This is what we came up with. Operational Risk Management. Structures, models, processes.

Indicators. Worst of all: „Controls‟… I haven‟t put in all Boards and Meetings that come along

with setting up and running All Of The Above. And I haven‟t even put Governance and

Compliance things in the picture. That would create an even bigger overhead bulge.

Imagine being in the primary organization process. Would you really like to work hard to carry

all the overhead? Would you still show initiative and resource to „help‟ those leaning over your

shoulder from all sides ..?



Which one of the onlookers is you ..?

Although we know the feeling of doing the drilling and not getting anywhere near the root

cause of a problem.



Didn‟t we all meddle along in operational risk management, without a proper framework to

work with ..? Or did we do serious work already?

Anyway, over in Europe, in a pittoresk little town (hardly city…) called Basel, the Bank of

International Settlements (bank of central banks), issued guidance on risk management. After

some bickering over details, it was turned into European law. Other regions moved in the

same direction.



Your name. Oh great.

But SOx didn‟t give too much guidance hence it turned into an auditors‟ bonanza.

[ Disclaimer: I lean more to the Orioles, Blue Jays and Cubs. Yeah, blame the Europeans for

not understanding the game. ‘You’ do well in curling… ]

And I need not mention the many, many other regulations that have been poured out over us.



Guidance is nice, unless it‟s bad guidance or poorly understood guidance or … guidance can go wrong in a number of ways.

In case of Basel:

• Whereas Basel II was intended to remedy major incidents with root causes in operational hiccups, 95% of text was devoted to financial instrument details. Less than 5% was devoted to operational risk management;

• In particular the operational risk part, was intended as guidance (to standard setters);

• The ops risk guidance was flawed in its approach:

•Cause, effects are loosely defined,

•Definitions overlap (no orthagonality in classification),

•Events are defined as 1 cause, 1 effect,

•No feedback loops (effect being cause of next failed link of the chain/mesh),

•Focus on learning from history and improving from there.

• Then, the guidance was taken as Directive (CYA). Banks did NOT already themselves have an urge to prevent preventable losses, only moved now they were forced to

• I.e., they did the least possible to be able to bluff their way into complaince

• By, e.g., building ops loss tracking databases:

•Tresholds without the „requirement‟ to aggregate incomplete picture,

•Self-reporting of losses by managers and executives, in the peak of the performance bonus days. Yeah, that‟ll work,

•Of self-reporting through (ad hoc, local) accounting rules incomplete, biased picture

•With too little guidance on classification inconsistent filing

•Which leads to useless data, not information.

• Oh and did we mention that there was little guidance (!) on what positive to do with the results ..? (re: no urge to improve)



Results are: Formal, paper compliance to the letter, but no (better) operational risk

management…

Seems like Basel II was more of an incident in itself, fire fighting staved off the ill (!) effects …

But it started me to think on how one should do operational risk management.

[First skirmishes led to a perceived need to change the bank‟s approach to ops risk mgt.

Couldn‟t get that through, and as I didn‟t want to be part of something so faulty, I first left the

audit department, then left the bank…]



Usually, according to „best‟ practice.

Chance is some frequency. Impact is some (dollar) amount.

Scales are translations according to some, hopefully uniformly defined and used, definitions.

Note that the scales are interval scales (http://en.wikipedia.org/wiki/Level_of_measurement;

regular intervals) with elements of a ratio scale (has a zero)

Risks are prioritsed according to their severity.

Maybe using Color in fancy heat maps. Placate some higher-ups, at their level of intelligence.

Which they may perceive as your level of intelligence, and/or perceive as your perception of

their intelligence.

The „best‟ practice risk management may not be good enough

http://en.wikipedia.org/wiki/Level_of_measurement



The colors turn into a black-and-white picture that may be a little bleak, since



Problems are easily scetched, but models tend to over-simplify.

• Turning qualitative and wildly biased guesstimates into interval or ratio scales ? Didn‟t you

unlearn that in high school ..?

• Frequency per what? Per 1,000 transactions, per minute, every second, every year, or what

..? If the chance is 1 / 1,00 (i.e., 1%) per day, you‟re pretty darn sure to be hit a couple of

times every year – on average, and can expect to be hit two, three, even four times per

week very regularly.

• What sort of frequency distribution do you use ..? Normal, bell shaped, right ..? Very, very

wrong. Hardly anything has that distribution. Consider all the flight-of-fancy characteristics of

the normal distribution. You simply don‟t know the distribution.

• OK, for impact, we sometimes have some data. But how typical is it …? A sample of one

…?? (Because all but certainly, next time‟s different.) Is it complete, believable ..?

• How bad is a „score‟ of 16? Is it worse than 15,5 ..? Or 15,999? Statisticians use decimal

points to prove they have a sense of humor. You use numbers to show you don‟t

understand them. [Apologies for putting that slightly undiplomatic!]

• The vast majority of all this is guesswork. Don‟t claim precision or science when they‟re

NOT. You DON‟T falsify or seriously (…) verify whether your assumptions are true, or

reasonable.

• And, let‟s not forget you don‟t know whether your data is sufficiently complete … In

particular, the turkey before Thanksgiving problem. Or, last time I looked, I was still alive.

And I have tens of thousands of data points that demonstrate that every morning, I am alive.

So … I am immortal …?



Even if you were to establish some sort of correct model …:

The frequency (of occurence) distribution is a distribution in its own right. A high probability of

a low number of occurences, and the other way around. Note that the average doesn‟t say

very much, nor does the median, or „variance‟ …

The impact distribution may not be linear but rises.

The result (product) will probably be an exponential thing. The tail is very, very fat. While on

frequency alone, we usually disregard it…



There‟s your problem: You don‟t know any of these factors. You guess all the way.



It‟s a balancing act. Yes, young man, you too can be an astronaut, or even better, a risk

manager!



[ Assuming there is such a thing as a frequency versus impact graph ;-]

On the left, there‟s operational losses. Simple little errors and omissions that lead to small

losses (mainly costs of repair and restore). They occur frequently enough to amount to

something, so analysis may lead to simple coutermeasures (controls, procedures) to prevent,

or detect and restore, the defects systematically and efficiently. Job done.

This is the realm of Operational Risk Management as it is usually carried out in transactional

services.

On the right, we see the low frequency of very, very bad things happening. They don‟t occur

often, but even if there is a high probability that they haven‟t happened yet, they will or they

wouldn‟t exist as a threat. Many of these things fall off the radar. With Black Swan

consequences… When not if one of these incidents happens, the organization‟s survivability

is under threat.

The unpredictable (?) nature of these incidents means we have to be as vigilant as possible

to see them coming – usually, they‟re not a complete surprise, early warnings exist – and

then do all we can to limit the damage. This is the Business Continuity Management sector of

risk management. Be Prepared…

We (information) security are stuck in the middle. Incidents happen. Not as often as to be

routine (or you will have things under control via standard procedures), but often enough and

with enough damages incurred to sum up to something sizeable.

Having developed over the axes of separate „programs‟, ORM, Security, and BCM, have

been known to get involved in turf wars. As we have a continuum, who will determine

methodologies, who will control budgets and power ?

ORM will declare that all of the above should be under their supreme command. Security and

BCM are just variants under their same header. So does BCM say, from the other side. And

we are stuck in the middle.



Three lines of defense… sounds serious, but is a bit eager beaver. There‟s no defense like in

being armed and shooting going on in the second and third lines!

Three levels of being in control, is more what it is. Or three lines of abstraction away from

material problems.

Taken the other way around, it‟s more about three lines of defending the regulator from

getting a clue.

Personally, as an auditor …

• I dislike the development of Risk Management as a defense against auditors;

• I dislike the abstraction layers and al the formal organizational procedures, hierarchy,

meetings, discussion platforms, communities of practice, TPS Reports, etc. etc, that come

with these structures.

My heart may be too much with actual content to care about formalities. We all want to be

effective and solve problems, or do you not want that but want to just conform like a

robot…?



All the detail. This is just within one Line of Defense, and is still way incomplete in depicting

all meetings, gatherings, discussion platforms, etc.

OK, one from Despair.com, heartily recommended.



Both are good reads, though not necessarily easy reads. The UK examples of organizations,

etc., you can easily replace with similar ones from any of your own country/ies. Organized

Uncertainty in particular spells out the boom of Risk Management as an abstract discipline

with chain reaction avalanche growth.



OK, getting back to the details.

We analyse from 1 cause, 1 effect, all the way into lumping all threats into one CIA rating,

and then fan back out again with all sorts of controls and countermeasures.

[Not to mention the methodological / communications comady of errors due to even slight

definition differences, in particular re the latter two terms.]

But then we lose a lot of relevance. Which we may sometimes re-input leading to hybrid

models that are ill understood, contradictory, etc.

Let alone that 90%+ of our day-to-day problems come from psychological and

(organizational-)sociological difficulties with Man.

Those have been around since the savannah days. Oh, those were the days!

Those problems of time immemorial, haven‟t been solved. That is why the Classics are

classics.

So,

A. We solve them in a decade, for once and forever – and pull off what the greats and the

giants of all times couldn‟t pull off even when they didn‟t have serious deadlines and

budgets to consider,

B. We learn to live with them. Which means, we, technies par excellence, will have to know

„all‟ about psychology and sociology. (And maintain our technical edge.) And change our

mindsets. No more silver bullets, but actual management of risks by shaving off the rough

edges and leaving the rest to meddle along with. Uhm, I mean, accept.



25

We oversimplify our models!

Re Albert: modeling is an analysis tool, to weed out noise. Not more, or you end up with

something that may have too little predictive value; the error rate will dominate.

Yes, that‟s very, very bad. Because we blinder (blinker) ourselves, and the ones that we

advise. We tunnel our vision and filter too much.

That‟s why Black Swans happen.

Even worse, Gödel‟s incompleteness theorem (proven for mathematics, seems valid

elsewhere, where models are extremely more inaccurate) states that we cannot include

everything (relevant) in our models. So, the unexpected will happen, and things not even in

your model (not conceivable) will happen.

Contrary to that, risk managers also have been found guilty of after melting, restoring the

exact ice cube from the water. Next time, it‟ll be a different ice cube that melts. Hindsight is

easy and the model will fit. Going forward, it will not.

In particular, the turkey before Thanksgiving problem.



Even worse, Gödel‟s incompleteness theorem (proven for mathematics, seems valid

elsewhere, where models are extremely more inaccurate) states that we cannot include

everything (relevant) in our models. So, the unexpected will happen, and things not even in

your model (not conceivable) will happen.

So, the best we can do is handle what we do know – once we do know those things which is

different from guesswork.

Note that once we do know things sure enough, they may not be labeled „risks‟ anymore.

The uncertainty is shrunk to insignificance, and if we have proper controls in place, we‟re left

with the remainder risk.

And of that remainder risk, a now larger part is unmanageable…

Do your job well, and your organization ends up worse than before. You‟re on the road to

CxO.

How can the future be so hard to predict when all of my worst fears keep coming true?



Your outlook:

• A bumpy road (the easy road leads to…, you know….);

• Mist, fog;

• Any number of threats jumping out of the woodwork. Are you a) on your way to a good

hunting spot when a white tail jumps out of the woods, or b) Altavista and Page&Brin jump

out of the woods …? Unfortunately, odds are it‟s b)

We just can‟t predict the future …! In particular, the turkey before Thanksgiving problem.

Now this is methodologically correct, but not a viable model …?

Another one from Despair.com How useful that site and its products for us in the InfoSec

world.



Hey, those look like bullets, disguised. Yes, but they‟re yours. I wouldn‟t use any of those. And, every single line is self-deception.

1. Nothing is perfect. But not everything is as flawed as your models.

2. The assumptions are not reasonable. They‟re biased guesses that a monkey would do better (no bias!).

3. If the assumptions don‟t matter, why state them? And, they do matter or you have no functioning model (however flawed).

4. Conservative, compared to what ..? And they would better be right, for your models to have some realism. Conservatism may/will lead to the wrong conclusions.

5. Your assumptions are vastly more easily proven wrong then they are proven (!) to be right. Same, even for plausibility!

6. So, if everybody else jumps in the water, you follow ..? CYA may not be good enough…

7. Beware of the false prophet. Is the decision-maker better off by being mislead …!?

8. Oh yes they are because they‟ll lead you astray, until you know which parts work. Why not strip the rest, then ..? Or use a horoscope, that soothes peoples‟ axieties, too.

9. Garbage in, garbage out. And your best may not be good enough even if the data were accurate. „Completeness‟, anyone?

10.Yes. But be sure to make the rights ones, and to brutally scrutinize their validity, and determine the impact of changes in assumptions. Do you, ever (even identify your assumptions) ..?

11.Why ..? They‟re not babies. They‟re tools.

12.The harm is you, and your clients, are led astray by emperor‟s new clothes. Why pilot a plane from JFK to Atlanta and try to land using a map of Meg‟s Field …? Would you buy or drive a car when all parts are custom designed but e.g. the brakes not seriously tested ..? Analogies abound.

Oh, Despair, how right you are.



31

As for the future, we are.

Half of the companies you read about in the papers today, will not exist in 20 years time.

They all have great strategic planning…

How long will the DVD last ..? Did anyone at Altavista see students Page and Brin program

op their laptops? (a handful of years later only, Altavista had gone fro hero to zero)



Don‟t try to be Superman at work. Reserve that for your significant other.



Don‟t worry. Even if in a support role, we can be of much value.

Otherwise, the future InfoSec folks will look to us, like we look onto past trainwrecks.

The problems we face, fall into two categories:

•Perennial ones, that require risk management;

•Solvable ones, for which everyone must stop to ask for Structure, but we must just solve

them, like engineers tackle a problem.

For the perennials: Remember Einstein‟s quote: “There are two thing infinite: Human stupidity

and the universe. And I‟m not sure about the universe…”

(Repeat) Note that once you control the solvable problems, they are not risks in a sense that

they should be managed, apart from remainder risks.

A bit more on the solvable ones, first.



As a start, get the simple things right. Nu half measures that are ineffective or have negative

side-effects that are worse.

And don‟t over-promise. Call the bluff of those that do (e.g., dare vendors to put their (!)

money where their mouth is with respect to their silver bullet‟s effectiveness and efficiency).

And do analyse not only incidents, but also the tactics and strategy behind attacks.

(Conscious attackers) Be aware that the Others may learn fast. Faster than you ..?

To sum up, don‟t drop all your work and starve in analysis paralysis. Keep on doing what you

do but don‟t make it pretty and fancy by putting bad risk modeling icing on the cake.



Down to detail.

This includes being picky on issues like authorizations. That nothing has happened yet (at

your organization!) doesn‟t mean that one day, you‟ll be vindicated. If you do not take care,

then you‟ll be blamed, „for sure‟.



As for the perennials: Count on never ending stories.

Come on, people! We‟re engineers! We should know all about control loops. Why don‟t we

apply them in practice and let MBA types tell us all about management control cycles that are

just watered-down versions of the above …?

We need to

1.Devise our own control frameworks,

2.Point out the errors and inapplicability of „theirs‟.

We need to focus on „trigger‟ signals. E.g., if and only if I see evidence that a manager has

actually assessed a log analysis report and has taken action on risky deviations, do I know

that someone drafted a log analysis report, and hence logging was done in a way that allows

log analysis, and risky deviations are picked out. You don‟t need to check each and every

activity, if the last one in line tells you the health of the system.

Well, this is a hypothetical example but you get my drift.

If you have the time to restore the output, output quality measurements will suffice.

When you don‟t, preventative (and detective/corrective) controls are required.

By the way, the nesting of control loops would make an ideal three lines of defense model…

Unfortunately, just like Prince II compliance, Pino [Prince in name only] and nePino [not even

Pino], we find hardly any real three lines in practice, but much Tino and neTino.

Be aware that many laws and regulations are actually devised to have a „one size fits all‟

principle-based appearance (!) that results in even more abstract control loops. We don‟t

need a top-down approach; we need a bottom-up approach for this.



And please don‟t fight yesterday‟s war. That is so passé.

But do learn from military strategy/tactics developments over the centuries. There you have

the one (kind of) organization that has persisted, or not.



Train like you‟ll fight, then you‟ll fight like you train. Being Prepared isn‟t half bad.

Even if you‟re the Canadian air force. [Sorry, Canucks. The beaver is a proud and noble

animal, etc., I know…]

But be prepared for the things you don‟t see coming. Be open-minded.

Fear and calculate for the worst case.

Don‟t focus on chance %, focus on avoiding the negative impacts (and be prepared to take a

stand that they will be high!)

Don‟t „Me, Too‟ or pass the buck, take your own stand. When passing the buck, the Greater

Fool Theory will catch up with you: If you have a problem, pass it on to an even greater fool

than you and it will end up with the greatest fool – if you don‟t know who that is, it‟s probably

you.

(Don‟t fight forecasters, just play pranks with them)

Now this ties in with the direction that Risk Management is going. Or, should be going.



Hmmm, what‟s that below the author name …!?

Or, is he the only one who has read the thing so far …? I would have guessed he knows

what‟s in the book already; why read it then …?



Risk Management as a meme may be at its peak. Nice. Now get down to do something other

than holiday activities. You‟re (or rather, „they‟ are) paid to effectively deliver something.

What not to do: Keep on climbing. Remember the Tradition (de)motivator …?

[Repeat]

Don‟t focus on chance %, focus on avoiding the negative (!) impacts (and be prepared to take

a stand that they will be high!)

Don‟t „Me, Too‟ or pass the buck, take your own stand. When passing the buck, the Greater

Fool Theory will catch up with you.

And don‟t, don’t use flawed logic or flawed quasi-mathematics. Those cures are far worse

than the disease.



Official Risk Management will disappear as a separate mega-function; will revert to only coordinating the work of risk officers in the first line. The latter, will be information security.

The „Program‟ aspect of Risk Management will wane. (Re Michael Porter)

What Risk Management i.e. we !! will have to do:

• Team up with physical security, learn from them:

• Be Prepared

• Prevent, and detect and remediate in balance

• Assume the worst. Be sure to be able to mitigate the (negative) consequences. Be sure to see exponential relations.

• Incidents will always happen. Get over that. Note that we‟ll have a job forever…! Run away from the company that think you have „solved‟ their problems.

• Focus on qualitative risk assessments. Quantities are a fraud. Qualititative risks are more easily communicated.

• Do ruthless scenario analysis and stress testing. Frappez, frappez toujours! [Attrib Napoleon: Strike, strike always when you can, strike hard]

• Distinguish between reliance on information flows and IT versus threats and vulnerabilities

• Be alert. Learn from the military: a G2 or S2 (intel) officer in a generals‟s staff functions as aid to operational and tactical mangement re information gathering. G3/S3, the general himself (herself??) decides ..! Continuous sitreps. (Then, Audit can function as an airmobile brigade on hire; with you, not against you!)

• [Be alert. The world needs more lerts.]

• Don‟t be bureaucratic about department borders, silos, or about neatly divided 3, 4, 5 lines of defense.

• But do the simple things bottom-up, first things first, and build structures on that. Evolve.

And that’s where many laws and regulations, and many risk management

departments, fail today. The top-down smoothly deductive design in isolated

departments, leads to analysis paralysis with results that don’t fit on / in practice. The

ideal may call for square pegs, but they don’t fit in round holes.

The problem of squaring the circle is provable impossibly solved. When this problem is

translated to risk management, it would be “just one of the many issues for which the solution

is postponed for a while; first let‟s do a pilot.” The problem doesn’t go away by ignoring or

denying it!

All worst fears come true, because

A. They just do, you better count on that

B. We better not remain stuck in analysis paralysis

C. Or we deny the worst problems and live happy go lucky till we don‟t.

This translates to information security, too: Don‟t wait till others stop whining. Solve problems

first, then do marketing.

[Marketing being translating what you have achieved, into regulationspeak to demonstrate

compliance.]

Act now, talk later!

Will do is nothing Doing is something Have done is everything.

Ah, life may not be just that simple and we may indeed ourselves need categorization, if only

to be sure we are doing „all‟ the right things.

“Factors may be:

•Irregularities in human performance;

•Machine and/or system break-downs;

•Failures to maintain standard operating procedures;

•Inadequate assessment of impact of external forces (market, economy, political

environment);

•Inefficient use of resources (funds, personnel, equipment, technology, knowledge);

•Lack of appropriate controls of business functional complexity.”

As an example. The factors overlap. And they may be factored down to root causes, but work

forward, in a mesh of effects and feedback loops. Which might be solved with e.g. Markov

chain analysis, but there we have the huge sensitivities for slight variations in input

parameters again…

Though, it must be said, the above list has enough perennials to work with …

So, stifle and paralyze the model freaks with their own methods. How effective was their

budget spend ..?



A second major line of business for us: stress testing. Since perennials tend to return on a

larger scale too, but in an unpredictable way – we don‟t learn enough from history to be able

to pick up the right early warnings and feed those through the right models.

The financial industry has moved from basic indicators to stress testing using scenarios.

Reason: Systemic risks in the sector. Currently done only for financial industry /

interdependencies of financial instruments.

The Dodd-Frank Act includes regulations on “crisis management” in the financial industry.

Whereas Basel‟s BIS (and BCBS) focused on minimum buffer capital requirements to

counter, mostly!, financial crises, the Financial Standards Board now also includes data

standards and collection. But still, it focuses on systemic financial risks.

The scenarios include macro-economic shocks as cause for riples in the financial industry, by

the way.

We don‟t have such institutions in our sector, do we?

Have you considered Advanced Persistent Threats as uncertainties about the systemic

vulnerabilities of the IT industry, with its global connectedness and dependencies?

You should test for „systemic‟ risks re information processing (of all kinds and processes)

within your own organization, and industry-wide … Do the war games!

And do all sorts of other (systemic or not) stress tests. How to include macro-IT-shocks as

cause for ripples in our industry? What would happen if suddenly a major systemic

vulnerability would be found in the TCP/IP stack ..? How do we get a grip on the

unpredictable nature of the next major blow to the (sec) industry? I don‟t know. Nobody‟s

perfect.





Now will Risk Management as a sector be allowed to move into that direction ..? Or how far

are we already into a blind alley ..?

You know what happened when Alexander was told about the Gordian Knot that tied up a

cart, and tied up many minds on how to untangle it.

Bam! He put a sword to it and hey presto no more problem.

Unfortunately, it takes an Alex The Great to pull such a thing off.

Or a huge number of politicians that for once forget to cover their behinds with ever more

rules. Said A the Great had the advantage of being supreme ruler, or course, so he wasn‟t

forced to compliance to petty rules and procedures.

Nevertheless, laws and regulations are close, very close to being the Gordian knot. And let

me tell you: The more tightly knit, the less effective



If you set standards high enough, they‟re ever more easy to go underneath.

[What game are we in …? Not so sure…]

The solution is NOT to raise the bar even further.

Regulators commonly do.

We may need an Alexander the Great.

This means

1. We need to train more on the pole vault, which is not so easy and takes numerous leaps

of faith. Or we go limbo in the back yard.

2. The regulatory and risk management industry needs to move to high quality standards,

i.e., smarter standards. They‟ll probably be more principle-based, but smarter. Not

describing too much apparently random detail, but catching the health of the whole

system of controls.

3. I.e., the regulatory industry needs to focus on the bottom-up approach, not the top-down

structures on a case-by-case basis…

4. Guidance will be of the essence. Not guidance that is taken as unthinking route to

compliance, but guidance the other way around, allowing the flexibility we need.



Apologies to regulators, but …

Where have we lost the self-regulation …?

How can we gain control over regulations? By providing lawmakers with our own,

demonstrably impartial independent and hopefully proven effective standards …



… Darn! Forgot to delete the last few bullets.

Well, to sum up: See slide.

Nice crammy slide, this one. And yes, I‟m of an age when „slide‟ meant slide or sheet. What,

when the Desktop is no longer a proxy for your pysical desktop when you wave a tablet in the

air …?



All presented, is work in progress. By default, and here in particular.

All help is appreciated. [ Comments, pointers, etc. etc., to jvdvlugt åt xs4all døt nl. Please

include a descriptive subject line or I might unduly offload your message. ]



Oh, trust me; the ropes are all managed by Risk Management, in line with best practice, risk

appetites and predominant with efficiency concerns in mind.

Remember John Glenn‟s words.



Few! You‟ve made it through and sat it out.

Now, are there any questions …?

Some closing remarks, after the presentation, including your input and what I learned at the

Conference: It seems that the two-pronged approach to „operational‟ infosec (do the simple

stuff right, and defend against the impact of the difficult stuff) would best be applied at tactical

and strategic levels, too. Tactical: Take care to be on board in projects. And don‟t say No to

every business initiative, stand ready with secure solutions. Strategic: Have reports about

attacks prevented ready. And demonstrate cool control over problem solving when something

serious happens.

Hmmmm, this sounds like an article in the ISSA Journal in the making…

down the blind alley (pdf)

Documents

future of risk management

information risk audit

risk managers

information assets

information security

information component

standards committee

business relations