Not Bad For a Cubicle » Blog Archive » Happy Birthday, Cubicle!

» Happy Birthday, Cubicle!

January 3rd, 2007 by Chandler Howell

I realized the other day that Not Bad for a Cubicle turned two in December. As my family can testify, acknowledging birthdays on time is not one of my stronger points, so I’m about two weeks late on this birthday wish to myself.

A lot has changed since I first started bashing random thoughts into Wordpress and wondering if anyone but I would care. In March 2005, John Quarterman and myself were pretty much the only bloggers out there talking about Risk in the non-boardgame sense of the word, at least according to Technorati, and we apparently only had 33 posts on the subject between us.

Today, Technorati found a total of 47,001 posts about “risk management,” with more being added at a pace of over 100 per day. A lot of them are spam, but a lot of them aren’t.

So what’s changed? Has awareness of risk really grown that much over the past two years? I doubt it. From what I can tell, people are still making bad risk decisions at about the same rate as they ever have. Sure, work is being done to improve our ability to describe risk accurately enough to make good business decisions about it, but we’re still years away from from achieving even a reasonable facsimile of that goal.

In general, I think that more people are writing about risk management across different disciplines. Within the security world, in particular, FUD isn’t selling like it once did, so the spending and effort needs to be more firmly grounded in reality than in the past. In the same way that the exotic inevitably becomes mundane over time, much of what used to be “Information Security” is now just plain “Information Technology.” Throw in the commoditization of IT in general and it now takes more than just “Everybody is doing it!” or the specter of ueber-hackers to get a security budget approved.

This year, I’ve heard that I’ll be spending a lot of time doing business case development for security spending proposals. I’m looking forward to this for a number of reasons. First, it will give me a chance to put my money where my mouth is with regards to the potential benefit of risk assessment. Second, I’m hoping it will give me a chance to see first-hand how the non-IT executives react to Information Risk Management concepts. Third, I’m hoping that it will give me good material for this space going forward (assuming I don’t have to self-censor the posts out of existence).

I’ll continue to produce the ~~rants~~ essays on IT and Risk Management that you’ve come to know and expect, and hopefully you’ll continue to stop by. Thanks to everyone who has read, linked, and commented over the past two years. It’s been a lot of fun and it’s not over yet.