Last week, I had the privilege of leading a full-day risk summit on information security (cyber) risk in Orlando at the 2016 Infosec World conference.
Over 50 professionals attended the summit, representing a wide variety of industries and roles. Alongside me in providing the seminar were two outstanding professionals and friends of mine: Evan Wheeler (VP of Operational Risk at DTCC) and Ron Woerner (Director of Cyber Security Studies at Bellevue University).
We started out the day by asking attendees to answer a small set of questions in a survey:
- How much experience do you have with risk management?
- What are the top 3 risks for your organization?
- From the topics in the agenda, what are your greatest pain points?
The results were… interesting.
It’s important to know up-front that most of those in attendance were not rookies in the field — as illustrated below:
I’ll also add that during the course of the day many of these people showed very strong critical thinking skills, as evidenced by the excellent questions they asked and observations they made. But even good critical thinking skills will only get you so far if you’re forced to operate from a shaky foundation…
Top 3 Risks
I had a hunch going in regarding how this would turn out, and I wasn’t disappointed. Below is the word cloud that represents the top risks in the eyes of those in attendance:
This isn’t the first time I’ve seen people, regulatory, insiders, data loss, phishing, and vendors described as top risks. Unfortunately, most of these aren’t risks, which simply reinforces the confusion about risk that I wrote about in the first two posts of my prioritization blog series.
The last question in the survey though, is where I believe one of the key challenges in our profession was really highlighted. The chart below shows how the answers played out:
The numbers in the circles represent the average from all of the ratings on each pain point (on a scale of 1 to 10). You can also see the shaded distribution outlines along each scale, which shows the degree of consistency within the answers. Confusion about risk ranked lowest, while risk measurement and communication ranked highest. Here’s the problem though; from everything I see in our profession, there is tremendous confusion about risk, beginning with what it is in the first place (witness the word-cloud above). Without clarity on that, there is no way that you can measure and communicate it effectively. Furthermore, without effective measurement, it is nearly impossible to prioritize effectively (at least with any degree of confidence).
So here’s my take on what this suggests. As as a profession:
- We recognize that we struggle to measure and communicate risk effectively.
- We don’t recognize (or at least we under-appreciate the significance of) the level of confusion in our industry about what risk is and how that affects our ability to measure it.
- We prioritize the stuff on our plates (because we have to) but probably give ourselves too much credit for how well we do it given that overall we aren't good at measuring risk and aren't clear on what risk is in the first place.
The bottom line is that until we get clarity on risk, everything else is a crapshoot.
Clearly, this is a small, not-entirely-random sample (comprised of people who paid to attend a day-long risk seminar), but I’ll be gathering more data over the coming weeks from groups that are going to be more general in nature. It will be interesting to see whether additional data sheds different light on the subject, or whether it simply reinforces my suspicions.
In a future post, I’ll place a bulls-eye on some key contributors to the confusion that plagues our profession. Stay tuned…