Question: Can you justify proposing a budget that manages risk to the “unexpected loss” event level? If so, would your company be able to even operate?
On Monday, I wrote a rebuttal to a blog post by Stuart King regarding my risk assessment posts I did a few weeks back. I want to take a moment to follow-up on a comment Stuart left on my blog – specifically “…I suppose that the “right” way is whatever way works best in your present circumstances: fact of the matter is that even given the best set of data, we usually get broadsided by something unexpected.”
I do not think that Stuart was referring to “unexpected loss” in the sense that maybe an actuarial or enterprise risk management professionals does. “Unexpected loss” in this context is usually measured in the >99.x% area of the risk curve. Extreme tail risk – what would probably be a death blow to a F100 company usually measured in the tens – maybe hundreds – of billions of dollars of unexpected loss – in a single year.
I do think that Stuart was referring to losses that creep up and bite an organization for one of two reasons:
1. An event that results in loss that was truly something that could not have reasonably been detected, prevented, or responded to in such a way where significant loss would have occurred. It is important to state that use of the word reasonable is in the context of the company experiencing the loss – not all the naysayers that sit back and proclaim they would never have missed such a gap.
2. A loss where effective risk management is not occurring.
From a risk assessment perspective, I would break the two reasons above into three different types of loss scenarios:
1. A significant loss independent of any identified risks. Meaning, I was not aware we had an asset (or process) with such a vulnerability that could result in a significant loss to our company.
2. A significant loss associated with an existing risk issue of which some risk component changed since originally assessed that increased its vulnerability and thus loss event frequency (this assumes the risk was assessed with a sound methodology to begin with).
3. A significant loss associated with an existing risk issue of which the loss magnitude exceeded previous estimates (this assumes the risk was assessed with a sound methodology that factors some form of monetary loss magnitude).
Question: If I managed to risk to the “unexpected loss” loss event level – would I ever suffer a loss?
Now from my “risk chair quarterback” position, I would say that most CISOs, CRO, information security managers, cannot request funds that are not unreasonable. Some big government agencies aside – most companies and small businesses are tightening their belts when it comes to IT security spend. So to get dollars above and beyond paying your employees, training them, maintaining existing capabilities, and maybe even improving a few capabilities – you have to justify it. I think it would be very hard to defend a budget increase under the umbrella of “I need to manage risk to a level to where unexpected losses are accounted for”. I would get laughed out of my current job if I ever suggested a thing and I do not even have a budget to manage.
With all that said I do think there are some ways to reduce the chances of an “unexpected loss” (info sec context) and it comes down to effective risk management.
1. Regarding loss type one above, ask yourself: “Do I know what my key risks are?” If some of you that are reading this (that work in information security in a leadership or influencer position) and cannot answer this question…uh oh. Once in a while you have to take a step back, assess the “risk landscape”, and determine where you are relative to the landscape. This will not catch all “unexpected loss events” but it will no doubt catch some. Performing this exercise could be the justification needed to request extra budget dollars to improve existing or implement new preventive, detective, or response security controls. And by the way – you will probably have to do some form of a risk assessment on newly identified risks. I do not recommend assigning a HIGH, MEDIUM, or LOW risk. Estimate the risk in dollars and determine if the control significantly mitigates the risk down to an acceptable level.
2. Regarding loss type two and three above: Effective unmitigated risk issue management. So, the reality is that we document a lot of risk issues that other people are responsible for mitigating if a decision is made to not assume the risk. For those “risk assumed” risk issues there needs to be follow-up on them periodically. Part of the follow-up should be to reassess the issue. Maybe something has changed in your environment that increases or decreases the loss event frequency or loss magnitude. The beauty of this exercise is that it forces someone to become better tuned to assumptions they made when the issue was first assessed as well as become an indicator as to how accurate their previous estimates were. A self-sharpening knife concept.
So in this post, I have commented on the concept of unexpected loss in the context of enterprise risk management (ERM) and information security risks. A lot of enterprise risk management teams classify “information security risks” as operational risk. For those information security risk professionals make a new friend this week with someone in your enterprise risk management group or any other group that manages risk associated with investments, product risk, etc.
For a brief glimpse into this fascinating aspect of ERM take a look at this white paper: http://www.google.com/search?hl=en&q=%22unexpected+loss%22+%22jonathan+davies%22&btnG=Google+Search&aq=f&oq=