Risk Assessments/Management

Why Your Risk Management Practice Shouldn’t be On-Trend

By Ed Moyle

If you’ve been to a security conference recently, did you notice how much of the expo floor was dedicated to folks hawking one of either blockchain, AI, or IoT products (or, in some cases, all three)? The hype is real and OMG does this industry generate a lot of it.

Why hype happens isn’t a mystery. Humans are social creatures. This in turn means that they will tend to share with each other the things that they are excited about and interested in. Likewise, there are very real impulses (driven by human nature) that cause hype to build and for practitioners to “follow the crowd” when it comes to making security decisions. For example, some people are, by nature, competitive: if they see a peer doing something—a colleague, friend, or someone they know at another company—they don’t want to be outdone. Likewise, others will (consciously or otherwise) follow a “safety in numbers” strategy—they seek to keep pace with what other, similar organizations are doing.

These are natural tendencies and, in many cases, serve those doing them in good stead. The trouble in a security context though is that they can, given the right set of circumstances, lead to decision-making that is not only sub-optimal but that is actively dangerous.

What’s all this about a tugboat?

To illustrate why and how its potentially dangerous, consider the 1932 decision made by the US Court of Appeals for the Second Circuit related to the T.J. Hooper. Now, I’m not a lawyer, but I do find this particular piece of case law to be an informative and useful one for individuals making decisions about security to have in the back of their minds.

If you’re not familiar with this case, the short version is that two tugboats (the T.J. Hooper and the Montrose) operated by Northern Barge towing company, lost their cargo (i.e., barges filled with coal) because of a severe storm. The owners of the barges sued Northern Barge on the basis that, had they installed radios in the tugs (which were not installed), they would have received storm warnings in time to seek shelter and avoid the loss of the cargo.

In this case, Judge Learned Hand (his actual name—and also probably one of the coolest names ever) wrote that even though there was no “maritime custom” to install radios—and, in fact, most companies had not done so—that the towing company was nevertheless negligent for not having a radio on board. The judge concluded that, should the value of implementing a safety precaution outweigh the cost of doing so, not implementing the precaution is negligent. In other words, “custom” (i.e., the actions taken by the crowd) does not dictate the professional standard of care.  

Both this conclusion and the way it is expressed in this case are interesting to me. First, the conclusion itself (i.e., that custom doesn’t dictate standard of care) is interesting because it sheds light on how we should view what others are doing with respect to security. Meaning, it doesn’t matter what someone else does because you should be evaluating these outcomes for yourself. Moreover, the way this is expressed is interesting too because it’s the “in a nutshell” version of pretty every risk management modeling technique that has evolved subsequently. For example, the NIST RMF (the Risk Management Framework), though significantly more complicate and evolved and Judge Hand’s summation, is based on this same essential logic.

Your company is not a gazelle

The upshot of this is that, while “following the herd” might be a fine strategy for a gazelle on the savannah looking to avoid hungry lions, it’s not a good strategy for your organization’s security efforts. This is true for a few reasons. First, gazelles—even those following the heard—still get eaten; a hungry predator will still single out one or two victims from among the herd. This means that, while herding ensures the survival of the group as a whole, it’s a non-optimal strategy for those unlucky individuals.

But beyond this, it’s also not a good strategy based on the implied standard of care and negligence obligations we just talked about. Instead, what’s more effective and does meet those obligations is workmanlike and comprehensive risk management based on systematic observations and careful evaluation.

Everyone knows that organizations have struggled to implement effective risk management. Of organizations that do it at all, many do it only inconsistently or sporadically. This is problematic in aggregate (as we’re seeing play out in the constant barrage of security-charged headlines) and likewise problematic for individual organizations as they struggle to optimize and most effectively marshal their defenses against attackers.

The point? Instead of buying into the nonstop hype, instead use it as a way to help bolster risk management efforts. For example, if an executive asks about the security of IoT in your organization, you might use that as a springboard to suggest a broader risk assessment effort for OT, embedded devices and, yes, IoT devices in your organization. You might suggest a broader effort to discover and inventory devices generally (IoT or otherwise) and evaluate them from a risk perspective. If there is attention from business teams on using blockchain technologies, you might suggest a systematic evaluation of the risks associated with current ledgering mechanisms in use. Doing so not only ensures that you’re getting return on investment for a blockchain deployment (not always a given depending on how it’s used) but can allow you to evaluate systematically risks that might be extant in the business processes you employ today.

The point is, many practitioners view hype as having only two possible responses: to be frustrated by it or to buy into it. There is a third option though: which is to have it serve as a reminder to us about the standard of care (which, as discussed above, really should be evaluated by us individually) as well as an opportunity to harness that interest to make progress on more comprehensive and holistic security goals.

If you're looking to enhance your leadership skills and learn to align security with business priorities, attend MISTI's Security Leadership Exchange, May 20-22, 2018 in Ponte Vedra Beach, FL.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.