Earthquakes and Risk Management
This past Tuesday I spent the afternoon at a local college helping them work through their Risk Management process. In my opinion Risk Management is one of the least understood practices in information security, and subsequently one of the most miscast, overlooked and underperformed. But it makes me happy.
Given that this is the first time that this client is going through Risk Management, we’ve spent a considerable amount of time evaluating risk in a number of areas of security. The evaluation has been thorough and complete, a testament to the client’s committment. And caffeine load. It’s never easy the first time around.
Risk Management is misunderstood for many reasons, not the least of which is the calculation of risk itself. Evaluating risk has always been one of information security’s dark arts. The mathematical product of Likelihood and Impact, calculating risk can be difficult for a number of reasons. In most cases, asset owners and businesses are equipped to determine the impact of losses in confidentiality, integrity or availability of one or more assets. This is a reasonably simple process, even if estimated qualitatively. The difficulty arises when trying to establish likelihood.
Tuesday was a beautiful day. Sunny and warm with a slight breeze, it reminded me just how lucky we’ve been this summer, as the weather in these parts can suck year-round.
At approximately, 10 minutes before 2 PM ET, I noticed a mild wobbling occurring in the room. Being engrossed in a conversation about Access Control, I dismissed it thinking that perhaps someone had had a bit too much soda for lunch. After a few seconds the wobbling intensified, and several of us silently declared that something was amiss. The conversation trailed off and we each began inspecting each other, simultaneously looking for clues and confirmation that the building was indeed shaking, now uncontrollably. At that point we all stood up, enacted a mini-crisis management plan and headed for the door.
Now we all know that the likelihood of an earthquake occurring on the East coast is near nil, and even less so in Albany. Right?
As we returned to the room after experiencing one of the Northeast’s rarest disaster scenarios (most of the campus was evacuated for a period of time), we had a newfound perspective on what is possible in the realm of information security. Luckily on this day, all we needed to combat this crisis was a little extra sunscreen.