Sunday, 2 February 2014

Risky Business

There are a lot of metaphors for security, which may mean we are in a technical field or it may mean that security folk often struggle to explain their point of view.  One I have been thinking about recently is the health of a human body being a metaphor for the security of a business.  I am not the first to use this analogy, see this paper (the section "Cyber Wellness") or this blog entry.

The part of the metaphor that I want to highlight is that you are responsible for the health of your own body i.e. you are responsible for a business or part of it, then you get to decide how to look after your body. Now there are a lot of people out there trying to tell you the best way to look after yourself, whether it be a product to buy or a lifestyle to adopt.  Some of this will be good advice and some of it will be bad.  Likely if you go to a doctor you will believe the doctor's advice, and they are likely to give you good advice on how to be healthy, or just become healthier.

But not everyone follows their doctor's advice all the time.  Often there are circumstances that don't allow you to put your health first, whether you want to or not - sitting all day in front of a computer for years on end is a risk to your health, but if it's part of your job then you do it; flying in a plane is a risk that most people are prepared to take; driving a car is the same.  Sometimes you simple choose the unhealthy option because the opportunity cost of not doing it is much greater - flying to space is very risky but try convincing an astronaut to stop wanting to do it.  And there are of course all the small unhealthy things we do out of necessity (e.g. crossing the street), convenience (e.g. fast food) or laziness (e.g. not brushing your teeth 3 times a day).

A life lived without doing some unhealthy things, without taking some risk, is a life not lived at all.

Similarly in business, as a business that takes no risk is a very risky business.  In this sense, all businesses are in the business of taking risk.

So the job of the security professional is to help the business understand the risk it is taking and help the business to minimise that risk, if that is what the business wants to do.  Of course the key concern here is getting the business to understand the risk (using security metaphors for instance!), and ensure the business is not taking risks it doesn't understand.  Doing so is not a technical skill but a business and communication skill, which should go to reminding security people that technical abilities alone are not the Holy Grail in being effective at our jobs.

No comments:

Post a comment