Bulletin 3 May 2019. Security vs risk, and monkeys writing Shakespeare
Show me the money
Before I start, I was saddened to learn this week of the death of Cyril Freedman in 2017. I doubt you will have heard of Cyril: I worked for him a few years back, as technical lead at a medical startup he co-founded. I remember him saying how the first company he started involved a table and chair, a telephone, a notebook and pencil. I remind myself of this frequently, particularly when technology seems only to be adding complexity to an otherwise simple situation.
I’d also like to say thank you to all those who comment on my bulletins. If you are interested, I send it out to over 300 people weekly, a third of whom read it. It’s a nice number of people I generally know and rate, and generally the feedback is “Keep ‘em coming,” which is pretty much the reason I do. I did receive a couple of specific responses to the 19 April newsletter, about IT security:
Ian: “Actually its a risk process. And it is a continual process in some organisations. And it's tested, frequently. Because of the day zero issue nothing is foolproof, but a lot of people are not as complacent as they once were.”
Graeme: “Whilst technology built with security considered up front would be welcomed, I suspect it stifles innovation and so we’ll always rely on the patching and 3rd parties to provide security.”
On the first point, yes, thank you Ian, that’s reasonable: all sweeping statements are doomed, including this one. Having worked for both government and financial industry clients, it would be folly to suggest that organisations don’t ‘get’ risk. It’s a difficult thing to measure: if you ask someone whether they care about security, they would of course say yes but then we have a case of, “don’t watch the mouth, watch the feet.”
And meanwhile, the point illustrates why I’m a huge advocate of communicating security risks in business terms, to the board. If one says, for example, “We need mechanisms to prevent anti-phishing attacks,” the obvious answer is “Why?”; however, if one says, “3 of our nearest competitors have suffered financial losses of <insert figure here> due to anti-phishing attacks,” the decision then comes down to the board as to whether they see the risk as acceptable. All businesses take risks, so it becomes a question of adding IT security risks to the pot (a.k.a. risk register) in the clearest way possible.
Which brings to the second point about security stifling innovation, which to be fair, is also about risk. Innovation cannot exist in a vacuum… well, it can, but taken to extremes we are with analogies about monkeys typing Shakespeare. It makes a modicum of sense for our innovation efforts to be directed, focused and measured, delivering on both efficiency and effectiveness criteria; it also makes sense that we want to remove whatever might slow innovation, for example overbearing security tools and practices, at the same time as maximising the quality of the outputs such that we don’t just add costs down the line.
As my old friend, mentor and value management guru Roger once told me, ultimately it will all be down to money, or at least financial measures. Which makes sense: so the question becomes whether we try to do things right first time, versus accepting a longer term risk (and potential cost) as a way of making something happen at all. Sometimes (business) success is about audacity, but this needs to be balanced against failure caused by out-and-out recklessness.
Smart Shift: The Dark Arts
Confession: I must have quoted this paragraph from John Brunner a dozen times in white papers and reports, through the years. This week's section is (funnily enough) all about security, from Stuxnet to Snowden. "The only war going on is one for the soul of the Internet.” But can it be won?
Thanks for reading, Jon