Risk management put to the test
The Association of Security Consultants (ASC) came together with the University of Loughborough for a ‘hackerthon’ recently’. Mark Rowe accepted an invite to see and hear what it was all about. From the June print issue of Professional Security magazine. Pictured: statues at Loughborough campus.
Allan Hildage, chairman of the ASC, welcomed the audience to the debate – nothing to do with hacking as you might think, but as he said a re-examining of security topics, and a bringing together of industry with academia. In passing he mentioned that ASC members can now add the initials RISC (Register of Independent Security Consultants) to their names and business cards. Then host and security management lecturer Danie Adendorff took the floor. He was among the speakers at the ASC’s Consec conference in November, featured in the December issue of Professional Security; then in a typically wide-ranging and enthusiastic talk he stressed how the internet has brought change – whether we like it or notice it or not – to business, management, and security management. To provoke discussion at the ‘hackerthon’ he titled his talk ‘security risk management versus security impact management’. Security risk management as done for years, generations even, is a multi-billion industry – but is it money well spent? He asked. Does it make the world better, or are there alternatives? He likened the event to ethical hacking, when a hacker is asked to expose security weaknesses, that require patching; or something new. He spoke of taking a red pen to the academic theory which risk management, that multi-billion industry, is based on, and urged a questioning of what’s generally practised. A 14-year-old in your family can tell you how to identify an imposter on Face book – you cannot. We use metrics based on likelihood and consequences; and analyse causes; what will, or may, cause something; we look at historical data, and interpret. And then giving a consultant’s advice (and taking a fee) we make the system robust. Typical security management advice is to control something. “If risk theory is so good, why have so many big companies gone in the last ten years?” he asked. The problem with the metrics, he suggested, was that everyone looks at the risk, whether it’s moderate or high or extreme; but what those words mean is different for different people, “and that is a huge problem in consultancy; the subjectiveness of the theory’. Hence the change to ‘security impact management’. Danie argued that an organisation can draw positives from something bad happening. We should think in terms of fragility (you are vulnerable to stress events, and likely to incur losses); robustness (stress events may happen, but you are able to weather the storm); and anti-fragility (you get stronger from stress events, and find opportunities). By shifting from causes, to consequences, you can manage the risk much better, he argued: “This is the crux of the whole idea.” To make flying robust, must we ban flying? Rather, we learn from flying accidents, and make hundreds of millions of flying hours safe.
How do we look at impacts? Danie put it in terms of 19 men with knives on an aeroplane – in other words, the 9-11 terrorists. With men and knives on aircraft, ‘there will be an impact somewhere’. This is not to say a security manager has to do one or the other, risk analysis or impact analysis. For business continuity, for example, you may need to combine the two. Then debate began with the audience. There was one query: if looking always at consequences, would that lead to risk aversion? Danie disagreed. You allow risk, and manage it, otherwise a business stagnates. While he said that he was not knocking risk management, he sought a shift, away from ‘hand me down historical data’. Echoing his talk at Consec, he stressed the effect of the internet, that means mankind has to deal with change on an ‘exponential curve’. Impacts – whether from the knifemen of 9-11, or children as victims of social engineering online, or your computer having a virus, or the American ambassador being killed in Libya last year – will happen; it’s a question of when, not if. He argued that we cannot take the risk management theory for granted any longer; life has changed too much. Adults may be part of the old world, but are part of the ‘most exciting generation ever’. But to manage the risk through our (that is, older generation) eyes is fatal. “So what we must do is take our experience and marry it with the changing world.”
Professional Security raised three points. First, the definition of impact. Is it like the smack of a fist on a flat palm; like a car hitting something at speed – which is a matter of physics? Likewise if there is a fire in the room, that’s chemistry. But people will react differently; they will show courage, or be selfish, or selfless; they will honest or deceitful in the workplace, and show love for the organisation of indifference; qualities not visible, and maybe hidden. There is also an element of uncertainty about the future; and we may assume wrongly that people at all times are rational – as when a fire alarm goes off – but some will be changed in body and character by drug addiction, or blackmail. Allan Hildage replied that it doesn’t matter if someone steals company information for a rival, or if the information reaches a rival another way, through it being mislaid, for example; what matters are the consequences. Danie Adendorff stressed the upcoming generation that has been used only to the internet. We’ve researched the anti-social youths who have been given an ASBO; but what of research into the young people who have never left their rooms? Have they got good school reports by hacking into school computers and changing the grades?! How are we going to give him an ASBO?! “We don’t know what is coming to our workforce. Fundamentally our perceptions about people are wrong.” Richard Distin raised the danger that risk managers are trying to affect corporates by scaring them – hence risk management might become like insurance, something that you have to have, but without enthusiasm. Richard asked: “Who is risk-managing the risk management industry?”
Allan Hildage made a point about business continuity; who runs the business whose absence has to be prepared for? Not necessarily the person making things, or the MD, but the administrator; if they are hurt in an accident, the business might come to a stop. People cannot say any longer that they cannot use computers; in manned guarding, everything is computer-driven. Likewise, as Richard Distin said, as for the question of how to get through to the buyer of services; they too, are changing. The morning of debate did not change the world and was not meant to; it was meant to stimulate. Danie admitted that what he was saying about impacts was not new. What the talk did address was the generation gap between the new and the established – and security and risk management is stereotypically by the middle-aged male. As Danie pointed out, once a generation gap was between generations; now, it’s only a few years.
