Singin' in the rain

Alternate Title: “Tolerance? We need some stinking tolerance.”

Risk is a part of life. You could slip on the ice walking to your mailbox. You could get hit by a bus crossing the street. In business as in life bad things happen. Negative outcomes can't be stopped but they can be minimized to keep us in our comfort zone. Risk tolerance is what helps us know when we're in our comfort zone and when we're hurtling towards disaster or wasting our potential.

So what is risk tolerance? Risk tolerance is about finding your peace in probable chaos. How do we find that peace? Let's consider another analogy.

Some of us may remember the old song "Singin' in the Rain". Some of us may even have seen the clips of dancing in puddles, swinging from lamppost and fancy footwork on slick pavement.  While watching, we would probably think that Gene Kelly surely spent hours and hours learning how to dance. He likely had a number of wise and skillful teachers to share their experience. He probably fell down more than a few times trying some new moves, had lots of sore muscles and maybe even broken bones. Surviving that pain enabled him to feel confident that he was placing his feet in the right spot at the right moment. Years of successful dancing surely gave him an appreciation for the joy of getting it right. Getting it right enough times and being lucky enough to be in front of the right people when he did get it right got him noticed and lead to his cinematic career. That eventual success surely made taking the early risks feel worth it. Also having been through that pain to achieve success, he probably had high confidence that if he did happen to fall and hurt his leg or arm or head that he would very probably still survive to dance again. The point is that knowing your tolerance requires a little bit of having been there, a lot of knowing that you want to be successful and confidence in your ability to survive even serious bumps in the road.

As risk jugglers watching the video we may be tempted to scream out to Gene Kelly "Wait!! That brick has slime on it!! You're going to fall!!" We certainly know we couldn't have taken the chance and been so concerned that we actually breathed quickly and watched in surprise as Gene deftly slipped, recovered and danced on. After a while we would hopefully learn to trust Gene in the situations we would only think of carefully tap dancing around. What I'm trying to say here (through a rather long analogy) is that we may not, and probably do not, have the most skin in the game when were trying to juggle risk for our employers and we likely have not traveled the same road they've been on so we should learn to trust our management more than we might like to at times.

Early in our careers or because we know how trivial a particular attack might be, we may think our resumes depend on skirting disaster at every turn and we may want to scream out for our boss to get some sanity or brains or something so they avoid the outcome that makes us want to run. This paranoid thinking can drive us to identify a diverse list of threats and cause everyone to discuss in detail every worst case scenario we can dream of at a resource cost that will add up quickly. If you find yourself discussing only the worst case, you're missing the point of your job and my proposed approach to juggling. What really matters is how well you learn to follow the bosses' lead, not how wise or careful you are. Also how well you learn to understand the level of probability that drives your management's decisions. And finally how good you are at flagging the negative impacts that are most worrying within each business process.

Finding management's comfort zone, isn't going to happen quickly and we're going to have to take a few risks of our own to test the waters. There are many ways to do this (go back to Google again) but in a small or resource challenged environment, we're going to have to pass on most of them as too expensive. In a small business environment it may not always be practical to develop detailed cost cases for our proposed security improvements or detailed threat, asset and value analyses. Real world, internal data may not even be available to show cost reduction, return on investment or probable loss magnitude. In this situation all you can do is be the best expert you can be with intel (headlines work well) about the probability of a negative outcome, let them choose and see how they react to your presentation. Notice when they aren't sure—as opposed to adamantly against your level of concern or opinion of the value of investing in a fix-- and ask for more time and assistance to conduct a cost case project when the decision is too questionable. We'll get more into this later.

So to summarize, taking risks is necessary. We should learn to trust our management more and give them the benefit of their own experience when we ourselves wouldn't take a chance in a particular circumstance. As risk jugglers, management's comfort zone needs to become our comfort zone--assuming we have also gained their trust so their comfort zone is refined by our comfort zone and, of course, that our honor will remain intact. The trick is surviving until we find that state of being at one with our management and not looking too paranoid along the way.