A Signal That You Are No Longer Targeting Effective Risk Management

May 27, 2009

Over the years, I have been witness to many instances of “responsible”/”accountable” word feuds.  In truth, I have been maneuvered into the early stages of these tangents on more than one occasion.  I believe that their presence is almost always an signal that effective risk management is no longer the mission.

Whenever compliance discussions evolve into arguments about the meaning of “responsible” versus “accountable,” stop and think about the trajectory of your effort.  Chances are that you are no longer involved in “risk management.”  The key is generally to ensure that there remains a strong link to compliance monitoring, reporting, and enforcement.  Where there is no link, there is no information security, infrastructure, or infrastructure operations risk management activity.  If you are a lawyer, and your focus is to use the “responsible”/”accountable” vocabulary to achieve some gain or to dodge some liability for your corporation, you have my support, but it is not related to the security business.

Tight-enough coupling between the descriptions of what must or should be achieved, and the monitoring, reporting, and enforcement used to ensure an appropriate level of compliance is a key indicator of an effective risk management focus.

Absent that coupling, attempt to re-focus the effort participant’s energy away from “responsible”/”accountable” word-smithing, and back toward the job at hand.

Mass Misunderstanding in Global Business — Can It Happen on The Information Security Front

May 17, 2009

Leaders in many industries seem to employ hope, and a belief in “what others are doing” as a primary risk management technique.  I recently read a piece about the biofuels industry and watched a documentary on Bernie Madoff’s Ponzie scheme that seem to demonstrate weaknesses in the way we manage key risks in globalized industries today.  In financial services, we use software to integrated much of our operations in hostile environments.  I believe that it would be useful for our most senior leaders to invest some of their best resources in an intense re-evaluation of their risk management strategies across all dimensions of their business.

Philip Brasher wrote a brief blog entry earlier this week about how over the last few years, biofuel entrepreneurs, producers, investors, farmers, and politicians all failed to deal with some relatively well-established market risks.  In the U.S. Midwest, biofuels generally means ethanol and biodiesel.  During the recent ethanol boom years, boosters seemed to reason that “what product could fail when it had no competitors and government was prepared to make its consumption mandatory?  Many in the industry assume their government mandates and subsidies are a virtual guarantee of success.  Both ethanol and biodiesel are now in a deep slump.  The price of, and demand for these biofuels is relatively-tightly coupled to traditional energy markets (primarily oil) and to agricultural commodity prices.  As a result, the biofuels industry operates in an international market.  The dynamics of oil and agricultural markets are extensively documented, analyzed, and reported on — and mandates and subsidies are not distributed evenly across the globe.

Creating the infrastructure to produce ethanol and biodiesel on a commercial scale is a complex engineering and capital-intensive exercise.  Whole hordes of intelligent people worked out every facet of this new industry.  Most of this effort took place in public, and with relatively extensive academic support from major universities.  How could they have gotten it so wrong?  And are they preparing to do so again?  Mr.Brasher references work by Ross McCracken, that seems to suggest they might by expecting both rising oil prices and falling production costs, while at the same time neglecting to deal with their own product pricing and raw materials costs.

So what does all that have to do with information security in the financial services industry?

Software is increasingly and enabler for “everything” in our business.  Every facet of our businesses depend upon layer after layer of software, most of which is expressed in interface after interface.  Our business leaders have been wringing “savings” out of our infrastructure for years.  Many seem to think that this savings-train is both endless and under their command.  Unfortunately, there are other forces that can influence the costs and risks associated with operating a large, complex, often globally-distributed infrastructures.

Much of our infrastructure is now connected to the Internet, as well as to our partner and customer infrastructures.  Our business “plumbing” and our brands require this connectivity in the financial services industry.  All of it is exposed to more or less hostile influences.  Many of our leaders depend upon contracts, laws, regulations, and regulators to work out how we will deal with the risks.  Some add informal reviews of “what others do,” or search for “industry best practices.”  Some include insurance in the mix as well.  My translation of this behavior is that it means they hope that “their” corporation will not experience a related loss on their watch.  And hope is not a viable risk management plan.

When you need to protect $ millions or $ billions of other people’s money, writing and deploying risk-appropriate software, even a relatively simple application, is fiendishly difficult.  This task is made more challenging because nature, scope, and intensity of the threats in the deployment environment are evolving.  Many applications never receive even an informal security code review or a vulnerability assessment.  At the same time, the “tools” available to criminals, insiders or outsiders, continue to mature and pose serious threats to our information, operations, and assets.  Most of these tools attack, in one way or another, our applications.  From one perspective, this is a very dynamic battle-space (war-fighting vocabulary intentional).  That is not the perspective of most of our executive corp.

Any population in financial services depending on hope, and a first-person experience of avoiding disaster, ought to review the recent FrontLine documentary on “The Madoff Affair.”  In the presence of a relatively vast regulatory apparatus, thousands of top tier investors, investment advisors & analysts, brokers, hedge fund gurus “lost” as much as $65 billion U.S. in a Ponzi scheme.  That was also in spite of a small cadre of investment specialists and a few reporters who repeatedly pointed out that Madoff’s returns were not supported by market or mathematical facts.  The primary regulator performed several review of Madoff’s investment operations and reported that there were no problems.  From our perspective today — Dec. 11, 2008, Bernard L. Madoff confessed that his investment buisness was all a lie — this seems like some mass madness.  Professional and wealthy elietes do not make mistakes of this magnatude — but now many of them lost much, or in some cases, all for their fortunes.  So much for hope and regulation…

It is risk-inappropriate to wait for a catastrophic attack on our financial services infrastructure before investing in intellectually-viable information, infrastructure, and infrastructure operations risk management practices.  I believe that it is time for our most senior leaders to invest some of their best resources in an intense re-evaluation of their risk management strategies across all dimensions of their business.

— References —

“Biofuels at risk.” Philip Brasher, May 11, 2009, http://blogs.desmoinesregister.com/dmr/index.php/2009/05/11/biofuels-at-risk/

There was also a follow-on article in the Sunday Des Moines Register (print edition), “Lawmakers try to ease regulation on biofuel’s environmental effect.” May 17, 2009, page 4D.”The Madoff Affair.” FrontLine, PBS, http://www.pbs.org/wgbh/pages/frontline/madoff/

%d bloggers like this: