I never would have imagined that my training in risk management reached back to the ninth grade. But in retrospect, it did.
Brother Cornelius was my math teacher in the ninth grade. One of the things I remember about him was that he forced us not only to arrive at the right answer, but also to explain how we got there. He always seemed to have a pithy saying to accompany our discussion when solving a problem. For example, if students offered different, defensible ways of reaching a correct solution, he might say, “chacun a son gout” – literally, “each has his taste.” I’ve had French instructors tell me that “á chacun, son gout” (“to each his taste”) is preferred, but the translation remains roughly the same – to each his own. At other times he would revert to Latin, saying, “de gustibus non est disputandum”, meaning “it must not be disputed regarding tastes”, or again, to each his own.
However, one of my favorite of his bon mots was this one which he would toss out if we got the answer correct, but missed the point of the analysis:
“The greatest crime and the worst treason, Is to do the right thing for the wrong reason.”
When I was putting this piece together I Googled the last quote as I remembered it so that I could give it proper attribution, and discovered that the original is a bit different. It comes from T.S. Elliot’s short play Murder in the Cathedral:
“The last temptation is the greatest treason: to do the right deed for the wrong reason.”
The Xaverian Brothers were surely economical in their teaching approach – we got Math, English Lit, French and Latin all rolled into one class.
Any quote worth remembering (either accurately or inaccurately) stays with us because it is meaningful over time and in a variety of circumstances. It occurs to me that the Elliot quote is pertinent in the risk management and security business today. A risk based approach to securing an organization’s assets, whether those assets are information or something tangible, has always been a best practice and simply a very good idea. After all, how can you build a sound security program without understanding what you are protecting, what has value, what are the threats to those assets, how are they vulnerable – all elements of risk management.
But over the past several years many organizations have adopted a risk based approach only because they have been forced to. Regulatory compliance has become the driving force behind risk based security, forcing organizations to practice the basics of policy development, risk assessment, risk remediation, etc. Yes, these are all the right things to do, but is doing them in order to achieve compliance the right reason? I would contend that if an organization answers “yes” to that question, they probably are not truly committed to risk management, are not true believers and do not reap all the benefits of a risk based approach.
Too many times we come across organizations who claim to be compliant, whether it is for purposes of privacy, PCI or other external forces, but when we dig beneath the surface it is obvious that the claim is just barely valid. In many cases, it is not valid at all. The goal is to “check the box” on the compliance questionnaire rather than to really embrace the spirit of the requirement or standard.
Let’s not forget that there are many other great reasons for managing IT risk beyond privacy, beyond protecting credit card information. There are plenty of assets to protect beyond social security numbers and credit card information. You have intellectual property, trade secrets, physical assets, and indeed your normal functioning operations themselves to protect. But if your focus is on those things that the compliance form says you “must do”, you may lose sight of the larger picture and those things that are equally important to your organization’s success. You will be doing the right things, but for the wrong reason, and probably with limited effectiveness.
Let us not forget a point made earlier, that effective security and risk management indeed go hand in hand. Information security is nothing more than people, processes and technologies arranged and configured in response to the unique risk environment of the particular organization being secured. Another way to look at it is like this: there are no security issues – there are risk management issues with potential security solutions to those issues.
In closing, consider this passage from NIST Special Publication 800-39 “Managing Risk from Information Systems – An Organizational Perspective”, which expounds upon risk management for the right reasons:
In addition to developing and deploying an effective information security program, there is great benefit to be obtained in reducing risk from information systems by building an information technology infrastructure that promotes the use of shared services, common solutions, and information sharing.6 Applying the principles and concepts used in enterprise architectures (e.g., the methodology employed in the OMB Federal Enterprise Architecture Initiative), provides a disciplined, structured, systems engineering-based approach to achieving consolidation, simplification, and optimization of the information technology infrastructure and the information systems that operate within that infrastructure. Risk reduction can be achieved through the full integration of management processes7 organization-wide, thereby providing greater degrees of security, privacy, reliability, and cost effectiveness for core missions and business functions being carried out by organizations. This unified and balanced approach gives senior leaders the opportunity to make informed decisions in a dynamic environment on the tradeoffs between fulfilling and improving organizational missions and business processes and managing the many sources of risk that must be considered in their overall risk management responsibilities.
Managing risk really is multidimensional problem solving, something I was fortunate enough to learn early on, having gained a solid foundation for it in the ninth grade. Thank you Brother Cornelius, wherever you are.
- Gerry Kane