person with a pile of poker chips in front of them looking at their cards
PHOTO: Chris Liverani

Don’t do that, the risk is too high!

You need to spend more money on cyber/fraud prevention/anti-money laundering/(fill in the blank) because there is a high risk of something really bad happening.

You can’t announce the new product/roll out the new system because it’s not ready. We haven’t fixed all the bugs.

The Sky Is Falling?

People who shout warnings like these are focused on risk. If they see it as high, they see red. STOP signs. DANGER!

But what about the people who are trying to get something done?

Do they see prudent, business-oriented people? Or do they see the boy who called wolf or Chicken Little calling out that the sky is falling?

Do they see people who are helping them or getting in the way of running the business?

In a recent RiskMinds video (thank you for sharing, Alexei Sidorenko) Nassim Nicholas Taleb, who is famous for talking about black swans, tells us there should be no risk management, rather we should be studying risk taking.

In fact, in his Amazon bio, he says he “spent two decades as a risk taker before becoming a full-time essayist and scholar focusing on practical and philosophical problems with chance, luck, and probability.”

I couldn’t agree more: Focusing on avoiding hazards (things that might go wrong) is a recipe for failure. You only succeed in life and in business by taking the right level of the right risks.

Related Article: How Much Information Security Is Enough?

Sometimes Not Taking Risks Is the Risk

It all comes down to helping leaders make informed and intelligent decisions. Informed means having as good information as you can about what might happen, both good and bad, on your way to achieving your objectives — whether your objective is to grow revenue or lose weight. Intelligent means involving the right people, considering your options, leaving your biases behind (see here), and taking the time to think things through.

Taleb is asked what he sees as the greatest risk. His answer (in my translation) is that when you are not taking risk intelligently (and that can mean steaming ahead through the shoals when the need requires) you are putting your future and its success "at risk."

Unfortunately, most practitioners think their jobs require them to call out that the sky is going to fall if we don’t delay/spend money/change our practices/etc.

A list of risks is not a list of ingredients for success.

Further emphasizing the scale of the problem is the person interviewing Taleb doesn’t understand what he is saying. She doesn’t hear the point that we shouldn’t be making a list of risks but enabling better risk-taking. Instead, she wants his help to prioritize her list of risks.

Related Article: 4 InfoSec Trends for 2019

How Much Risk Should You Take?

The article "An Enterprise Approach to Data Security" purports to guide information security practitioners on how to assess and manage the security of information. But it says nothing about understanding how a security incident could affect the business and the achievement of its objectives. The author is managing data security risk, not helping people take the right level of cyber risk.

The only way you can eliminate cyber risk is by closing the business (and it’s questionable whether it is totally eliminated even then). The question for business leaders is how much cyber risk should they take. Or, putting it another way, how much should they be spending on cyber defense, detection and response?

These are business decisions, not risk decisions.

There are too many articles, frameworks, and standards that focus on managing risk, and not nearly enough discussion on taking the right risk (after weighing the consequences) through informed and intelligent decisions.

What do you think?