A bit about risk and cyber security….

For most of the time since I left politics this site had no clear purpose, I just kept the domain alive as a personal profile, and specked with dust and visited only by cobwebs. So now I am using it as a repository for some of my thoughts. If they justify a few minutes of your valuable time, I am honoured.

I have a particular interest in how organisations make good decisions in complex situations; particularly when faced with risk and uncertainty.

Why ? I’ve seen it go wrong so many times! There’s a lot of evidence that we make bad decisions about risk, and deciding how to use limited resources to get the best outcome (i.e. capital allocation) is what propels humanity forward more so than anything else. Doing this well is hard, and doing it well with cyber and technology is harder. Hard decisions are by definition interesting decisions, particularly when you’ve had the opportunity to get them wrong yourself.

Almost nobody actually talks about this at all outside the financial markets. Not boards, not executives, and definitely not cyber security leaders. Business decisions are mostly a lot more finger in the air. How many proposals for investment in capability have you seen that really explained what the return would be on outcomes and risk? Likely none.

Which has a bigger impact on earnings: investment in marketing, or in cyber security? We don’t know, because nobody asks.

As a result, companies have big, easily avoidable incidents that impact earnings and trust - sometimes critically.

Which leads to better clinical outcomes: more doctors, or a better patient records system? We don’t know, because nobody compares the benefits of each.

As a result, spending more on healthcare doesn’t always lead to better health.

Which policy is best for economic development: connecting regional cities to the Capital, or connecting regional cities to each other? Again, we don’t know.

For the consequences, just look at HS2 vs Northern Powerhouse Rail.

But it goes worse.

Very often, there can be vested interests that actively don’t want to know; after all there are no votes for politicians in calling for more hospital administrators, any more than there are business charts linking better internal control with sales growth. And that’s often true even when these investments are clearly what’s best for the patients or the shareholders!

Yet “I guessed” is neither a good defence when things go wrong, nor a good justification for spending people’s time and money.

So what’s holding us back from fixing this?

Deep rooted dogma and assumptions, a need to replace qualitative risk assessments with quantitative risk management, a lack of time or skills, or an assumption that what we do today is ‘good enough’, or assuming we never get fired for making the same mistake everyone else is, even if we know better? Perhaps some or all of these.

I believe we can do better, but I don’t have a magic wand so I just try to keep learning and keep sharing.

If you’d like to read on, check out the links below.

If you’re more interested in cyber incident response, click here.