Study Risk Taking, not Risk Management!

This week we continue our Mistakes of Mainstream Management [MMM] series with a focus on risk and specifically cybersecurity risk that many tech. executives worry about! Even if you don’t work in the field of cybersecurity or tech., the dominant paradigms and “best practices” of that field profoundly impact your life - as a customer/user of technology products and services - from emails to banking, from concert tickets to governmental services, etc.

Even though cybersecurity is a top area of interest/concern/priority for executives and leaders, many cybersecurity teams continue to struggle to effectively defend their organization and their customers against external adversaries.

It is not just the external pressure - having been in the trenches of the cybersecurity industry for the past 23 years, I know how stressful it can be internally as well. Lack of funding, conflicting priorities, etc.

Is anything fundamentally flawed in the current dominant approaches of cybersecurity teams in terms of how they view and treat risks? Let’s dive in…

Table of Contents

• Risk Taking vs Risk Management

• Traffic-light Risk Management

• The Antidote to Reductionism

• Adams’ 3rd Law

• The flaws of traditional GRC

• What can we do instead?

Risk Taking vs Risk Management

What’s the problem with "risk management”? Isn’t that a “best practice”? Isn’t that what all corporations do - not just for cybersecurity risks, but also for financial risks? Isn’t that what financial institutions have been doing for the last several decades?

Well, traditional risk management approaches used by most financial institutions is also flawed. You see, you cannot separate the income-generating techniques from the risks associated with it - they are not separable. They are all in the same class of decision making: Decision making under uncertainty. Listen to Nassim Taleb talk explain this elegantly:

Here is a simple question: Will you invest your money with a “wealth manager” who says that he/she will ONLY work on managing the upside, but the management of the downside is dictated by a framework defined by a different department that has no clue about what it means to be a trader in the market?

I won’t!

This is the trap that many cybersecurity teams fall into. The whole idea of “Governance, Risk and Compliance” (GRC) departments has turned out to be very ineffective in practice. Don’t get me wrong! While there are some effective GRC teams out there, I’m stating that many remain ineffective because of their flawed approaches.

The ideas that I’m about to discuss are not new! Many effective CEOs and Chief Information Security Officers (CISOs) intuitively get this. They understand that there is a business to run and that there is no such thing as perfect security.

They can hold two conflicting and paradoxical ideas/goals (e.g. security vs productivity) in their head. They are good at walking the talk and enable the business to take intelligent risks. They know where to draw the line to keep the business viable and thriving in an uncertain and rapidly changing environment.

They typically seek systemic solutions instead of naming and shaming their own people. For example, issuing every employee a FIDO key (a non-phishable credential) instead of running a phishing campaigns against their own fellow employees and penalizing them with mandatory training and warning notices.

But for other cybersecurity professionals and leaders and for that matter Tech. executives, this type of thinking and dealing with trade-offs is heavily constrained or blocked because of their organizational structure, policies, and other reductionistic approaches. There is a different lens to look at the current situation and it is high time we challenged the dominant paradigms.

Traffic-light Risk Management

Cybersecurity field already suffers from hyper-specialization. But, the worst of all is the idea that you can have a separate team that focuses only managing on cybersecurity risk - without truly understanding the technology and the business risks/opportunities. Yes, the external regulatory pressures have increased in the last few years - but, you can’t navigate that effectively with GRC teams dumbing down cybersecurity risk to the colors of a traffic light.

This is similar to what today’s “nutrition science” suffers from. As Marion Nestle put it, “it takes the nutrients out of the context of the food, the food out of the context of the diet, and the diet out of the context of the lifestyle”. Based on the paper you read, the same ingredient could either kill you sooner or make you live longer! With this type of an approach, the same ingredient can be both risky and safe.

When you ignore the interactions between various actors in the system and also the larger context each “problem” or “risk” is embedded in, we end up making wrong decisions.

It doesn’t matter that each individual cybersecurity domain or specialization has made significant advancements in their field. Product security teams continue to innovate in the domain and GRC teams continue to build fancy dashboards and workflows to “manage” the risk. But widespread security incidents and breaches tell a different story in terms of their collective effectiveness.

I offer no solutions or prescriptions in this newsletter. But, I will give you a new lens and help build a new worldview with which you can think and come up with your own solutions. For premium-tier subscribers, I will now discuss the following:

• Antidote to reductionism: Is there a discipline that can help us pivot away from our current reductionistic approach?

• Adams’ 3rd Law: I’l apply a specific insight from systems thinking and discuss its implications on cybersecurity strategy and organizational design.

• Flaws of traditional GRC & what to do instead: I discuss the various pitfalls of traditional GRC and discuss alternative approaches.

Subscribe to "I'm Serious" to read the rest.