"You keep using that word. I do not think it means what you think it means." -Inigo Montoya in The Princess Bride
In the past couple months I've come to hate the word "risk" and its associated phrase "risk management." It's not because risk itself is inherently bad or wrong, or that the need for good, quality risk management has changed. Rather, it's the overuse and misuse of the term that is really grating on me. Despite a lot more talk about risk, it seems that it's even less understood and even more poorly defined than ever before.
Perhaps the most egregious "risk" annoyance is its constant use as a FUD hammer for pushing products or agendas. It seems that every time we turn around, somebody is proclaiming that something is a HIGH RISK (bold, all caps, exclamation, exclamation, exclamation, omg we're all gonna die!). Unless, of course, we buy their product or support their agenda.
This problem is pervasive across multiple industries, most of which are these days loosely associated with "security" (I heard an ad on the radio last week that Northrup Grumman is now describing itself as a "security services company" - not because they're doing anything different, mind you, but because that's where a lot of the money is... homeland security, national defense and security, cyberwarfare and cybersecurity, etc.). Not that this is any different than ever before, but it seems that you cannot trust much of anything you read or hear these days. If you do, you'll be buying into irrational, FUD-based agendas that seek only to take your money and leave you no better off.
This line of thinking makes me wonder... if you're not particularly experienced with security or risk management, what hope do you have of really dealing effectively with any of this FUD and BS? If some vendor or VAR or consultant comes in making bold statements about "high risk" findings or issues, how do you evaluate and validate what's being said?
It seems to me that every time someone hear's the word "risk" they should immediately jump to a quick interrogation based on the following rubric:
1) Has "risk" been defined in my context?
2) Has the identified "risk" been prioritized within my context?
3) Is the "risk" being used to describe a problem or to promote a "solution"?
4) Has the "risk" been properly weighted against comparable concerns?
If the answers to these questions are inadequate, or simply "no," then you probably have a case of risk abuse on your hands. #3 there is a particular red flag to watch out for, with vendors, politicians, and mainstream media most notorious for flogging "critical issues" with "high risk" that are taken completely out of context and hyped up well beyond anything reasonable. If a vendor sends you marketing materials that talk about "risk" at all, then you should be highly suspicious. How do they know what is or is not a high risk for your organization?
We could go on to talk about how to structure risk profiles and a risk management program, but it's too much at this point. Organizations are failing at the simple step of vetting and validating what they're hearing. Until organizations and people quit accepting all "risk" claims at face value, there's really no point in talking about risk management. Why? Because you won't get the right kind of understanding or buy-in necessary to be successful.
It's time we empower people to challenge blind assertions. It's time to give them the basic tools, such as the responsibility to question what they're told, to begin fighting the rising tide of what is no less than fraud and deceit. Once these basic steps are taken, then we can talk about how to evolve that into a formal risk management program.
Refuse to be terrorized. Refute blind assertions. Question all non-contextual risk statements
Ben, could not agree more. My recent take on FUD is at the link above
rgs Luke
Thanks, Luke! Ironically, my motivations for this piece were independent of the writing of Anton and the others. I'm simply burned out on risk being the buzzword du jour this year.
Terrific insight Ben! I always enjoy infosec blogs that focus on the bigger issues rather than just the nitty-gritty technical stuff. The word "risk" and "risk management" as you've pointed-out has lost all meaning; it's been reduced to a buzz word. Like you said being terrorized by FUD and applying risk mgmt in response is useless. Risk needs to be viewed objectively and realistically.
I'll be following your blog from now on! Take a look at my infosec blog (securityrevolution.blogspot.com) and my musings on some of the more holistic aspects of the field.
YAY!!!! Ben wrote a concise blog that didn't take me 2 trips to the bathroom to read! LOLZ!
Seriously, nice write-up.
@Dominic - Thanks! I'll definitely check out your blog.
@Erin - haha - glad you liked it! :)