I typically ride a road bicycle, the kind everyone knows; the kind with curly handlebars, the kind ridden by (stereo-typically - and fortunately changing) colorful Lycra-wearing skinny guys wearing helmets and reflective sunglasses.
I also happen to be a skinny guy, and I am frequently found in colorful (red, white, and blue) kit, wearing a well-ventilated helmet and reflective sunglasses. Virtually indistinguishable from the masses, at least for the outsider.
|All you cyclists look alike!|
Even more surprising: I like to ride fast on the trails. I like to push the limits.
There's so much to love. I love the grinding crunch tires make grabbing onto a loose trail as weight transitions from side to side through fast sweepers; the thrill of feeling the rear end slide slightly in a corner, suddenly hooking up with a hard push of a pedal to thrust the bike forward; feeling trees tap the back of my shoulder as I twist my body around them to squeak every inch of speed.
|I can't do this...but I'd love to.|
Clearly I take a fair amount of risk. It's calculated risk, trained risk, but risk all the same. I know nature will win if I come into contact with her. I know which trees I've hit but you'd never be able to tell.
We, as humans, are really good at recognizing risk when it's up close and personal. We'll smoke a cigarette or eat a double cheeseburger and fries, but we're ready to run like hell when something moves in the bushes behind us.
Make no mistake. I recognize the risk of every treegate, every rock garden; I recognize the risk in a visceral way, and I've bailed on even simple terrain features because my confidence (risk tolerance) plummeted.
I manage my risk. I get good, grippy tires. I have a well set-up, full suspension mountain bike. I wear full-finger gloves. I wear a helmet. I wear (sun)glasses. I maintain my bicycle, and I check over all my equipment before every ride.
I don't over-ride new trails. (Usually.)
We all do this. We manage risk every day. I just happen to do it as a job: I manage information security risk.
It's hard, and my trail riding is a great example of why.
When presented a choice laden with risky options, the sense of control over that choice can give a sense of control over the results. In other words, by deciding to take a risk, I'm also control if the risk will manifest.
I decide to aggressively ride trails, so I'm not as likely to wreck. Worse, while the precautions I take may give some mitigation, I over-estimate their effect.
What is more challenging is that risk that is not clear and present is harder to for us to respond to. As I ride along a cliff edge I'm extremely cautious and ride slowly - the risk is visceral, and has a visceral response. As I ride on a trail that could have cliffsides on it, I ride faster. Until I see the cliff before me, I'm less likely to consider the risk I'm creating by taking less care to manage my speed and control.
It's even worse with things like eating unhealthy food. The effect of eating a fat-laden cheeseburger is far off, occurs incrementally, and is countered by the initial benefit the burger provides.
|Sorry, Sonic, but this turns my stomach.|
Intellectually, this is incredibly frustrating. We're fighting the built-in human instinct to worry about what matters now as we try to illustrate the risk of the future. Many executives are watching dollars, it's a struggle to make an investment in something that doesn't address an immediate concern. We even have a term for people who can do this: visionary. A great example is employee pay in retail; paying employees better results in a cleaner, better organized store, with better customer service and better sales outcomes.
I'm a loyal Costco customer (and a former Costco employee). Costco treats its employees very well, and is exceptionally profitable. I simply cannot understand why other companies don't make these investments.
I digress slightly to make a point. If such a decision that drives directly to the bottom line is resisted, our plight in Information Security is tenfold. We're not adding to the top line like Costco, we're preventing loss at the bottom line.
Our world plays out like this: We create elaborate risk charts. We budget for contingency action after an event. We document impact of fines, legal expenses. We estimate collateral damage to brand. We get a sympathetic audience, but we see only incremental change.
Then it happens. Target. Epsilon. South Carolina. Risk manifests, and everyone wants to know "can it happen to us?" This is the Nuclear Power Plant of risk, one melts down and suddenly everyone wants to shut down their local plant or move away. If you're at one of these, or other, organizations, your security budget exploded. For the rest of us, nod your head with me: I've used these events to illustrate the information security risk we take.
We made the risk real.
So I hit a the tree. Why? Did the front tire wash out? Did the suspension rebound too quickly? Too slowly? Not enough damper? We present technical solutions to drive risk out of the system.
Or was I simply riding too fast? The human is the root of most of our risk, whether it's not knowing there's a proverbial cliff behind a link in their e-mail, or cutting corners in the implementation or use of technology preventing them from seeing the tree before we hit it.
As for me, I was probably just riding too fast. I'll learn my lesson...at least until I've recovered, then I'll do it all over again.
(I'm sure there's a few of you that didn't feel a need to ask for investment after a major security event. I would love to hear your stories - how did you get the support you needed to be fully invested in information security without having the driver of manifest risk across the street?)