Firms realize that playing it safe is the riskier option

Share this article:

Over the past few months, however, my university and I have been negotiating a massive risk assessment/ analysis with follow-up management for a year. We are proposing FARES (Formal Analysis of Risks in Enterprise Systems), an entirely new paradigm. As readers of this column know, FARES is about as far from the current state of the practice as it's possible to get and still be doing risk management.

But the sponsor, after thoroughly surveying the risk management landscape and trying many risk analysis products, decided this was the only answer. Why? Because there is absolutely nothing else that will manage risk in a network of this size and complexity, regardless of what the vendors say.

For the first time, in my experience, an organization was willing to risk a new approach simply because it was prepared to admit that all of the other methods being offered don't work.

The big consulting companies present old wine in new bottles and off they go, doing the same old thing but with a new batch of brochures and marketing hype. And the results? Well, I once had an email tag line that said "If you keep going where you've always gone, you'll end up where you've always been."

Now that some of that realization is sinking in, big organizations are getting ready to take a risk or two and try something that shows a lot of promise for solving problems that have never really been solved before.

There still are some providers taking advantage of the old FUD-factor that "nobody ever got fired for buying [insert vendor here]." When that happens everyone loses. For example, consider the recent FBI database debacle. How many times have we seen similar failures in the past?

If you are going to implement a major information security project, new or old paradigms aside, manage the project, assess the risk and manage the risk. Will the project complete on schedule? How do you know? Will it be on budget? How do you know? If you can't answer, even if you are willing to seek innovative solutions to tough information-assurance problems, you're headed for far bigger problems from the project itself.

Peter Stephenson is director of information assurance for CeRNS, The Center for Regional and National Security, at Eastern Michigan University

Share this article:

Sign up to our newsletters

More in News

Cyber Command tests gov't collaboration in wake of attacks

The two-week exercise, "Cyber Guard 14-1," was completed this month.

Text message spammer settles charges filed by FTC

Text message spammer settles charges filed by FTC

Rishab Verma and his company agreed to settle charges filed by the FTC that Verma sent millions of spam text messages that deceitfully promised free merchandise.

Rhode Island hospital to pay $150K for past data breach

More than 12,000 patients' personal and health information was compromised in a breach at The Women & Infants Hospital of Rhode Island.