It could be argued that ‘management’ of all kinds (including information risk and security management) is or rather shouldbe a rational process, meaning that managers should systematically gather and evaluate information, take account of sound advice, make sensible decisions, put in place whatever is necessary to implement the decisions etc., all the time acting in the organization's best interests, furthering its business objectives, strategies, policies etc.
In practice, there are all manner of issues with that approach that complicate matters, frustrate things, and lead to ‘suboptimal’ situations that may be - or at least appear to be - irrational, inappropriate or unnecessary.
In particular, there are numerous paradoxes. For examples:
- The obvious core objective of a typical commercial company to make a substantial profit for its owners may conflict with various ethical and legal objectives to spend money on protecting and furthering the wider interests of society and individuals - including their privacy.
- There's a fine line between motivating/supporting/encouraging/directing and demotivating/micro-managing/exploiting employees.
- Efficiency in most matters comes at the cost of effectiveness, and vice versa. They say quality is free, but is that a lie?
- Locking secrets or other valuables in a vault limits their utility and hence practical value, but releasing them puts them at greater risk of theft and illegitimate exploitation.
- There is literally no end of potential investment opportunities, but finite resources to invest, plus unavoidable costs of simply being in business.
- Bonuses may be achieved selfishly in the short term by sacrificing the long game, presenting social and ethical challenges that are difficult to counter.
Faced with all that and more, it occurs to me that corporate management is a bit like pinball. Managers are:
- Identifying and hopefully hitting the targets that score points while simultaneously avoiding various static and dynamic hazards, some of which come out of left field;
- Using and refining whatever techniques and resources are available, perhaps nudging the table tentatively or finally getting the hang of that cool ball-spinning back-flip maneuver;
- Coping bravely with the challenges and setbacks, while also creating/engineering and taking advantage of opportunities that arise along the way.
Experienced managers appreciate that things don't always go to plan. Where possible, they prefer to retain their options and flexibility as long as practicable, and yet making real progress on almost anything requires commitment and decisive action, collapsing those options to a much smaller subset.
'Reducing uncertainty' is the prime focus of information risk management today. We do our level best to identify, characterise, quantify, evaluate and where possible reduce the probabilities and/or adverse consequences of various possible events.
Uncertainty is an inherent part of the problems we typically face. We don't know exactly what might happen, nor how or when, and we aren't entirely sure about the consequences. We worry about factors both within and without our control, and about dependencies and complex interactions that frustrate our efforts to predict and control our fortunes. We adopt fallback and recovery arrangements, and apply contingency thinking with the intention of being better prepared and resourced for unanticipated situations ahead.
A random comment on LinkeDin set me thinking about the converse: 'reducing uncertainty' is the flip side of 'increasing certainty', in other words information risk management is equally about increasing certainty of beneficial, valuable outcomes such as not suffering the adverse consequences of incidents as often and/or as severely. It's also about increasing certainty in general, which is why we put so much effort into gathering and assessing information, monitoring and measuring things, implementing mitigating 'information security controls' that give us some semblance of control over the risks.
Assurance is a big part of reducing uncertainty. We check and test things, review stuff and conduct audits to increase both our knowledge of, and our confidence in, the arrangements. We seek to identify and tease out potential issues that need to be addressed in order to avoid nasty surprises.
Resilience is another chunk. Building the strength and capability to respond effectively and efficiently to whatever might happen, maintaining critical activities throughout, is a powerful approach that extends from individuals through families, teams and departments, to organisations, industries and society at large.
Thanks to those uncertainties, we are inevitably building on shaky foundations. Our information risk management practices and information security controls are imperfect ... but at the same time they earn their keep by generating more value than they cost, for example by:
- Providing credible information about various situations, allowing us to make rational decisions, prioritise and plan things, allocate appropriate resources etc.;
- Reducing or constraining the problem space where possible, increasing our ability to focus on The Stuff That Really Matters;
- Allowing us to consider and deal with potential incidents in advance, knowing that we will struggle to do so during some future crisis.
Along with assurance and resilience, that added value is clearly a positive, beneficial aspect to information risk management ... in contrast to the rather negative edge on 'reducing uncertainty'.
I'm not arguing that 'increasing certainty' should be our new mantra, rather that we might be more business-like in how we go about what we do, putting more effort into increasing and talking-up the positives and less into reducing and warning about the negatives. In my experience, managers are more inclined to invest willingly in activities that are positioned as and appear to be value-enhancing and beneficial to the organisation, rather than loss-reducing, even though they amount to the same thing in this context. It's all about perception and emphasis.
More carrot, less stick please.