Over 50 professionals attended the summit, representing a wide variety of industries and roles. Alongside me in providing the seminar were two outstanding professionals and friends of mine: Evan Wheeler (VP of Operational Risk at DTCC) and Ron Woerner (Director of Cyber Security Studies at Bellevue University).
Survey
We started out the day by asking attendees to answer a small set of questions in a survey:
The results were… interesting.
Experience Levels
It’s important to know up-front that most of those in attendance were not rookies in the field — as illustrated below:
I’ll also add that during the course of the day many of these people showed very strong critical thinking skills, as evidenced by the excellent questions they asked and observations they made. But even good critical thinking skills will only get you so far if you’re forced to operate from a shaky foundation…
Top 3 Risks
I had a hunch going in regarding how this would turn out, and I wasn’t disappointed. Below is the word cloud that represents the top risks in the eyes of those in attendance:
This isn’t the first time I’ve seen people, regulatory, insiders, data loss, phishing, and vendors described as top risks. Unfortunately, most of these aren’t risks, which simply reinforces the confusion about risk that I wrote about in the first two posts of my prioritization blog series.
Pain Points
The last question in the survey though, is where I believe one of the key challenges in our profession was really highlighted. The chart below shows how the answers played out:
The numbers in the circles represent the average from all of the ratings on each pain point (on a scale of 1 to 10). You can also see the shaded distribution outlines along each scale, which shows the degree of consistency within the answers. Confusion about risk ranked lowest, while risk measurement and communication ranked highest. Here’s the problem though; from everything I see in our profession, there is tremendous confusion about risk, beginning with what it is in the first place (witness the word-cloud above). Without clarity on that, there is no way that you can measure and communicate it effectively. Furthermore, without effective measurement, it is nearly impossible to prioritize effectively (at least with any degree of confidence).
My Take
So here’s my take on what this suggests. As as a profession:
The bottom line is that until we get clarity on risk, everything else is a crapshoot.
Clearly, this is a small, not-entirely-random sample (comprised of people who paid to attend a day-long risk seminar), but I’ll be gathering more data over the coming weeks from groups that are going to be more general in nature. It will be interesting to see whether additional data sheds different light on the subject, or whether it simply reinforces my suspicions.
In a future post, I’ll place a bulls-eye on some key contributors to the confusion that plagues our profession. Stay tuned…