Wednesday, August 15, 2012


Why Risk Management is an Infosec Worst Practice!

It is very easy to find Information security professionals that can wax poetic about multiple risk management methods. Unfortunately, when these methods are measured rigorously, they don't appear to work. Yes, it is important to admit that many risk management approaches neither result in a measurable reduction in risk or improvement in decisions.

Many risk management practices also fail to account for known sources of error in the analysis of risk or, worse yet, add error of their own. whenever an ISACA certified member comes by to certify that you adhere to clean desk policies can they provide strong data to support their stance or is it more anecdotal in nature? Which is a better risk management technique, having a clean desk or in ensuring that all of your number two pencils are sharpened?

Let's face it, most of the information security's approach to risk management is a big fat joke. You would think that information security professionals would be keenly aware and respectful of failure, yet they too tend to not know when their own risk management system has failed (except in scenarios where there is no longer any business to protect).

Is risk management nothing more than a method than can be fooled by a kind of "placebo effort" where best practices are obtained via groupthink? What are the performance measures for the risk management approach used in your organization? I suspect even your Chief Risk Officer will be blissfully ignorant in how to answer this question.

The widespread inability to make subtle but important differentiations between methods that work and methods that don't work means that ineffectual methods may spread like the plague. Interestingly enough, a few process weenies will latch on to the plague, label it a "best practice" help contaminate others.

I suspect there is a strong correlation as to how AIDS is spread amongst society at large and how enterprises continue to adopt silly practices. They both have long incubation periods that are passed from one party to another along with no early indicators of ill effects until its too late.

If you want to practice genuine risk management, be skeptical of sentiment, snake oil salesman and auditors with ISACA certifications...

<< Home
| | View blog reactions

This page is powered by Blogger. Isn't yours?