Why have this website?

For most of the time since I left politics this site had no clear purpose, I just kept the domain alive as a personal profile, visited only by cobwebs and specked with dust. So now I am using it as a repository for some of my thoughts. If it justifies a few minutes of your valuable time, I am honoured.

I have a particular interest in how we make good risk decisions.

Why ? Firstly because there’s a lot of evidence that we make bad decisions about risk. Secondly because deciding how to use limited resources to get the best outcome (i.e. capital allocation) is what propels humanity forward, more so than anything else. And thirdly, because doing it well is hard, doing it well with cyber and technology is harder, and hard things are interesting. Particularly once you’ve had plenty of professional experience trying to do the hard things right (and not always succeeding).

That’s not the same as saying I have all the answers, but bear in mind that almost nobody actually talks about this at all outside the financial markets. Not boards, not executives, and definitely not cyber security leaders. Business decisions are mostly a lot more finger in the air. How many proposals for investment in capability have you seen that really explained what the return would be on outcomes and risk? Likely none.

Which has a bigger impact on earnings: investment in marketing, or in cyber security? We don’t know, because nobody asks.

As a result, companies have big, easily avoidable incidents that impact earnings and trust - sometimes critically.

Which leads to better clinical outcomes: more doctors, or a better patient records system? We don’t know, because nobody compares the benefits of each.

As a result, spending more on healthcare doesn’t always lead to better health.

Which policy is best for economic development: connecting regional cities to the Capital, or connecting regional cities to each other? Again, we don’t know.

For the consequences, just look at HS2 vs Northern Powerhouse Rail.

But it goes worse.

Very often, there can be vested interests that actively don’t want to know; after all there are no votes for politicians in calling for more hospital administrators, any more than there are business charts linking better internal control with sales growth. And that’s often true even when these investments are clearly what’s best for the patients or the shareholders!

Yet “I guessed” is neither a good defence when things go wrong, nor a good justification for spending people’s time and money.

So what’s holding us back from fixing this?

Deep rooted dogma and assumptions, a need to replace qualitative risk assessments with quantitative risk management, a lack of time or skills, or an assumption that what we do today is ‘good enough’, or assuming we never get fired for making the same mistake everyone else is, even if we know better? Perhaps some or all of these.

I believe we can do better, but I don’t have a magic wand so I just try to keep learning and keep sharing. This website is about sharing. If it helps others bridge the gap between executive leaders and their boards so they can have better conversations about risk and reward, and use resources more wisely as a result - well, that’s what it’s all about.

If you’d like to read it, check out the links below.

If you’re more interested in cyber incident response, click here.