Alternate Title: The grass is not always greener...
I’ve been taking a Coursera class called Microeconomics for MBA’s. I can’t believe how it’s opening my eyes about lessons I had already learned the hard way. It makes me wonder what might have happened if I’d stuck with it in my freshman year of college. Perhaps the road less traveled might not have looked so tasty? But I digress.
I want to share a lesson that I’ve flown past in the mad scramble to share what seemed more relevant. This bit is so foundational to security and risk management that I think now is the best time to elaborate on motivations for/against security, why there are never enough resources and how to get things done as a risk juggler.
The biggest slice of wisdom I've gained from the first 5 weeks of class is the idea of the “Tragedy of the Commons”. The core of the idea is that if we all shared a finite resource (e.g. a city park), but none of us owned the resource, some will inevitably try to take more than they need of the resource or abuse it and reduce the value for all. The assumption behind this is that we’re all more or less rational but also self-interested. How does this apply to us as risk jugglers you say? Because we’re the park.
When you are a cost of doing business and not a revenue generator, you can’t easily propose new ways to use any value you’ve miraculously added above and beyond your expected quota—usually just enough to pass the audit. Our quota is different. We only have ourselves and whatever resources we’re given to do the job. Also, typically we’re just avoiding unrealized (some might say imaginary) costs of doing business in the dangerous world of Cyberspace (Drink!!). The point is we can’t as easily identify residual or new value we’ve created and ask to spend it in new or better ways. We just get pulled in another direction with whatever time we’ve saved. Thus' we're a finite resource with limited value and many potential consumers.
Sure we can bust our ass and go crazy trying to do everything. Unfortunately this approach will very likely fail to accomplish what really matters before we burn out and get fired. That is unless management only cares about the next fire and our many stakeholders agree or they try to push all their risk management work on us instead of owning it themselves and thus can’t pass the audits without us. Add to that, since few like to do what we need them to do, they will try to avoid any rules we throw up to manage our time and keep the risk noise to a dull roar. If we don’t manage all these pressures well, we’ll damage ourselves and won’t help the company because we will fail to spot the opportunities and keep pace with growth and evolution.
My position is that it is best to view ourselves as a limited resource and find ways to protect ourselves from those who will inevitably overuse and abuse our time otherwise we’re destined for failure.
Preventing abuse of a common resource comes in many forms (says the economist), but they all come down to a basic act: raise the cost of use to reduce the demand by those who waste or the individual user’s ability to waste. How can we do this? The following are listed from simplest/cheapest/least effective to most complex/most expensive/most likely to succeed and reduce exploitation of YOUR time in a complex environment.
- Policies and Procedures: This is probably the easier path for the SMB and most common. Every company will have some written or unwritten policies and procedures to help manage the chaos. Unfortunately, without some Executive sponsorship, incentives and measurement, they are rarely worth the paper they’re written on.
- Internal Audit: Some risk managers would say that internal audit isn’t really helpful as they typically don’t have enough time or knowledge of the business to find what really helps reduce the uncertainty. Some would say Internal Audit is part of risk management. I lean more toward the “part of risk management” camp. (This may be because I’m an Internal Auditor at the moment and also tasked with some aspects of Internal Risk Management.) Others see Internal Audit as part of the control structure called Governance. That is a more meaningful construct to the Enterprise but still worth mentioning here. However you look at it, the pro to having this role is, as an extension of the board, the Internal Audit role can save costs for the organization by cutting through a lot of the failures of the options above to help “tune the engine”. By highlighting where controls are not operating as desired or just misaligned with management’s risk intolerance, the auditor is the tool that helps management turn the ship where turning on a dime isn’t necessary and identify when the ability to turn faster is needed.
- Executive sponsorship: We’ve all heard this is necessary, but let’s look at why it works. Senior management’s first role is to manage all the shirkers who would waste the common resources of the company (not just us but the other cost centers). They will typically divide their constituents into departments, teams and smaller units and share accountability down the line. This way every resource is monitored by someone who also has the same larger chunk of the company’s objectives and is watching them and reporting up the line about their failures. By having the support from the top driving the priority, anyone who doesn’t want to pull their load relative to security and compliance will be reported and sanctioned (e.g. lower bonus, less than preferred duties, termination, etc.). The Con is that senior management often has difficulty keeping security a business priority without additional incentives.
- Incentives for everyone: Incentives, such as evaluation of security contribution during HR evaluations, are harder to implement than Executive sponsorship for two reasons. One, it costs more to administer incentives than disincentives. To maintain integrity in the process, you actively have to document and evaluate success instead of just react to failure like you would through simple Executive sponsorship or Internal Audit approach. Second, and for the SMB in particular, it involves more judgment to implement than direct measurement of evidence. So it can break down due to the same weakness as any sales oriented management approach (i.e. if I have the best presentation--but not necessarily the best facts--I can still win without returning the optimal value for the effort).
So to recap, information security and risk managers are a VERY small population of the rest of the professional world who have their own competing priorities so this is the way it will always. Since we’re always a cost center and arguably no profit focused utility, this means we’ll be stretched thinner than we like in every challenge we’re facing. The risk juggler will survive who recognizes the methods to avoid being corrupted or depleted as a common resource. She will work to implement a private property-like mentality about her and her team’s expected contributions. This will ensure the ownership of chunks of her contribution are distributed carefully so all members of the company can reap the most benefit from their piece of what used to be the commons. However no system is perfect, so it’s important not to get bent out of shape if you see a little garbage on the lawn now and then.
No comments:
Post a Comment