Living beings are experts at managing risks. It’s something we have done over millions of years. It’s called, among other things, survival instinct. We wouldn’t be here if we were bad at it.
We avoid them, we mitigate them, we externalize them, we take them on.
For example, is it going to rain today? If it rains, how much is it going to rain? Do I take my umbrella? Do I stay home? Will I run into a traffic jam on the way to work? Will I be late for the meeting? Do I call to let you know? Do I try to postpone the meeting? Will I puncture a tire on the way home? When was the last time I checked the spare tire? Have I paid the insurance premium? What is the roadside assistance coverage?
All these everyday processes of risk identification and risk assessment are carried out unconsciously all the time, and we apply risk management measures without even realizing it. We grab an umbrella, call the office to inform them of a delay, attend the meeting by phone, leave home earlier or decide to take public transport. Obviously, it’s not always that easy.
However, when we move to the corporate environment, we start with risk tolerance, probability, impact and vulnerability criteria, threat catalogs (standard), strategies, risk registers, inherent, residual and projected risk, mitigation ratios. And we get lost for months in concepts, documents and methodologies, moving further and further away from the reality we have to analyze and protect.
The orthodoxy of (cybersecurity) risk management
As a result of this, a few months ago, in the middle of the pandemic, I came across an interesting article that contrasted two very different visions of risk management, which it called RM1 vs RM2.
Basically, and quoting directly from the article, RM1 would be focused on “risk management for external stakeholders (Board, auditors, regulators, government, credit rating agencies, insurance companies and banks)“, while RM2 would be “risk management for decision makers within the company“.
A few weeks or months later, Román Ramírez published an entry in a similar vein, criticizing the prevailing orthodoxy in cybersecurity risk management and the problems it generated.
[Read more…]