10 RISK FACTORS NO ONE TALKS ABOUT
20 Nov 2019
The traditional risk management factors you are all taught include the staid process of categorizing potential threats and risks, evaluating their likelihood of occurrence, and estimating the damage that would result from them if not mitigated.
We all struggle with those large estimation issues, but there are a ton of other factors that impact risk management. Here are ten that are rarely discussed openly.
- Fighting over “might happen” risk
“Why waste the money? That’s never going to happen!”
Imagine the public outcry if passengers were made to throw out their water bottles and get full body scans before 9/11 happened. After 9/11, we happily take off our shoes, throw away our water bottles, and subject ourselves to full-body scans. It takes real bravery every time a risk assessor warns about a problem that has never ever happened. They are the unsung heroes.
- Political risk
You lose political value each time risks are included that do not occur over some time. You are seen as “crying wolf.” So, proactive warriors calculate which battles they want to fight. Over time, seasoned warriors pick fewer battles. They have to. It’s survival of the fittest. Many of them are just waiting for the day when a really bad thing happens that they didn’t fight to prevent hurts the organization and they become scapegoats.
- "We say it’s done, but not really" risk
The current ransomware epidemic has laid bare that most organizations don’t do good backups. Despite most organizations and their auditors checking off for years that critical backups are both done and are regularly tested, it just takes one big ransomware hit to show how radically different the truth is. How can a person who is in charge of backups ever test everything when they aren’t given the time and resources to do so? That takes a huge commitment of people, time, and other resources, and most organizations don’t give the responsible person any of that for the task.
- Institutionalized risk: “It’s always been done that way”
Everyone might know that six-character, non-changing passwords are not a good idea, but it’s never caused any problems.
Good luck arguing that everything needs to be upgraded to support longer and more complex passwords, possibly spending millions of dollars, The institutional “wisdom” is against you, and most of those people have been there way longer than you.
- Operational interruption risk
Every control and mitigation you implement might cause an operational issue. It might even disrupt operations. If mitigating risks without causing operational interruption were easy, everyone would be doing it.
- Employee dissatisfaction risk
The mere mention of restrictions on what end users can do, such allowing only pre-approved programs to run or restricting where and what they can do on the internet, is met by hostility from most employees. The labour market is tight. Every company is struggling to get good employees, who don’t want to be told they can’t do whatever they want to do on “their” computer. You lock it down too much and they might go work somewhere else.
- Customer dissatisfaction risk
You don’t need to use a PIN with a chipped card in the US. The rest of the world requires both the chip and a PIN, and this is a more secure option by far. How did it get that way? Because PIN and chip cards came to the US relatively recently, and merchants and customers were just getting used to swiping cards. Requiring people to insert the card so that the chip was read correctly was going to make a small percentage of transactions fail and upset some customers.
- Cutting edge risk
People on the cutting edge often get cut. No one wants to be on the pointy tip of the spear. Early adopters are rarely rewarded for being early. They often become the lessons learned that make it easier for the herd to adopt improved tactics.
- Time lag risk
You are almost always fighting some risk that has already happened to other people (or to your organisation). You wait to see what tricks the hackers have up their sleeves and then create mitigations and controls to fight those new risks. Having to first wait to see what the hackers are doing makes a time lag from when the new malicious behavior is spotted until you can assess the new technique, think of new controls, and push them out. In a wait-and-see game, you are always behind.
- "Can’t do everything right" risk
Last year more than 16,555 new public vulnerabilities were announced. More than 100 million unique malware programs are known. Every type of hacker from nation-states to financial thieves to script kiddies are trying to break into your organization. It’s a lot to worry about. When you consider all the things the average company has to worry about and contemplate, it’s amazing that we can actually get it right most of the time.
Now go out there and continue to fight the good fight!
Rob Newsome (firstname.lastname@example.org / 083 611 8500)
Ntikile Sandlana (email@example.com / 082 785 1308)