Comments on: Metrics and oranges

by: Chandler Howell

Mon, 28 Apr 2008 18:23:30 +0000

Oh, and while it’s pretty crummy weather here in Chicago today, I completely agree with your sentiment in principle, even if today I can’t do it out on Lake Michigan or in a nice, sunny beer garden.

by: Chandler Howell

Mon, 28 Apr 2008 18:22:18 +0000

Alex,

No editing on my part, so I’ll blame wordpress.

I often feel that my job is to worry about risk so the rest of management doesn’t have to, which I think would fall into the “enabling oblivousness” option.

That’s not necessarily a bad thing–more of a division of labor option. They worry about things like how to make better & sell more products, and I worry about keeping things safe.

More on this challenge in my next post…

by: Alex

Mon, 28 Apr 2008 17:11:20 +0000

Chandler,

Somehow the greater than / less than symbols cut off my comment. Whooops.. Or maybe you just thought I was being to wordy :)

So your job is to make sure that management knows risk or is oblivious towards it? Didn’t know which model you were preventing.

(the fact that I have to ask that question should cause us all to really get kind of depressed about our current state, leave the office early on this beautiful spring day and go do something we really like, preferably involving adult beverages)

by: Chandler Howell

Tue, 15 Apr 2008 12:33:10 +0000

Alex,

I agree that in many places I can think of (now that you put it as you have), defining IT Risk tolerance is an ungoverned, bottoms-up activity.

I guess I have a certain blindness in my day-to-day, since part of my job is to prevent that model from taking shape. Thanks for pointing out that I don’t live in most people’s risk management reality ;-) .

by: Alex

Tue, 15 Apr 2008 00:34:54 +0000

“I assume that policy (or lack thereof) is an expression of or proxy for a company’s tolerated level of risk.”

I’m going to call bad assumption. Most of the issues I’ve seen with security policies and non-compliance (to policy) is that the policies are that they are written as a representation of a “best practice” by a CISSP-type regardless of the risk tolerance or appetite of management with little consideration for user experience and productivity impacts. So when policy is challenged, or KPIs are given based on assumed risk tolerance/appetite/interest - credibility and usefulness of information risk management suffers.

I advocate the following:

1.) Some sort of risk tolerance (& appetite?) is developed by Mgmt.

2.) That is expressed as a ‘pain scale’ (http://www.anes.ucla.edu/pain/FacesScale.jpg) target for KPIs to hit, preferably as a number that is in probable frequency/amount of loss and/or ability to manage risk.

3.) Policy conditions are established:

if current state of risk or risk management capability is