Most types of management are risk management was one of a number of points of discussion at the Risk Management Smackdown II panel at the RSA Conference 2012 in San Francisco this week.
The panel's subtitle, The Wrath of Kuhn, referred to philosopher Thomas Kuhn, who speaks of “proto-science,” somewhat random fact gathering (mainly of readily available data), which he terms a form of philosophical speculation that provides little guidance to data-gathering practitioners.
The freewheeling discussion among the panelists, taking off from there and prompted by questions from the audience, hovered around issues of balancing the scientific element of data gathering with the art of interpreting the information gathered from assessments, and examined some of the challenges risk managers face – from getting executive buy-in to assuring that new products are secure.
The panel consisted of David Mortman, chief security architect at enStratus; Allison Miller, director of security and risk management at Tagged; Alex Hutton, director of risk at a financial institution; Andy Ellis, CSO at Akamai Technologies; and Bob Blakley, VP, distinguished analyst and agenda manager for Gartner.
In opening statements, Miller said that at her former job at a financial institution she focused on protecting user accounts, while in her new position at a social media operation her focus was more targeted at using pattern recognition and problem solving to make sense of complex systems. But, she added, “most types of management are risk management.”
Hutton said his work focuses primarily on audit and the data science, while Ellis said he teaches people about risk, but that is only half of the recipe. The other part involves calculating for unforeseen events. This is where a balance between the science of data gathering and the art of interpretation must be forged, he said.
Meanwhile, Blakley, in a full devil costume, spoke, literally, as a devil's advocate. “There's a lot of talk about how risk is bad,” he said. But, risk management is, in fact, evil and the enemy of security, he said in his devil guise, because it forces metrics to be applied after the fact, calculations that can often get in the way of implementing a security strategy that addresses more than patching a master list of vulnerabilities that have already been proven exploitable. “Compliance is one of my greatest inventions,” Blakley (as the devil) said.
When an audience member asked, "How do you defend against something you don't understand," Hutton answered that people have a level of risk tolerance that can be increased if they are made to believe they have been made more secure via a new strategy, policy or tool.
As to the challenge of how security staff can work better with people in charge of risk, a good number of those in the audience said they serve both roles.
But, there are a number of other tasks that remain to be resolved. “We need to know how to skate to where the puck is going to be,” said Hutton.
The good news, said Miller, is that a maturing process is occurring a more and more data that can be used to build more accurate models of risk is assembled.
Effective risk modeling can be used to defend enterprises effectively, if done carefully, added Hutton.
The bottom line: “Businesses care about risk,” Ellis said.