Shostack + Friends Blog Archive


Risk Managers Are Just Like Security People

Or is that vice-versa? A few weeks ago, Security Retentive posted about an article in the Economist: “Confessions of a Risk Manager”. Both his analysis and the original story are quite interesting and I encourage you to read them as well as a letter to the editor that was published in last week’s print edition of the Economist. In “Risky Business”, David Howat, a self described past risk manager share his thoughts on the roles of risk managers:

Risk managers can’t do a proper job if they aren’t part of the team that develops the proposal. They are enablers, not gatekeepers: their job is to ensure that each new transaction, product and service is developed with safety as well as profitability in mind. Weaknesses need to be identified early so that, if they can’t be corrected, the proposal can be dropped before anyone gets too attached to it.

Sounds familiar doesn’t it? I can’t count the number of times I’ve used a similar argument for security being involved from the beginning. It’s heartbreaking to hear that an industry that’s been around much longer then ours is still fighting the same battles. Yet on the plus side, it’s yet another group that we can learn from to improve our own stance and hopefully avoid making some of the same mistakes. Time to go re-read the original article again.

3 comments on "Risk Managers Are Just Like Security People"

  • Alex says:

    I’m often thinking that economics suffers mainly because the scientific method they apply to their models has more immediate societal “risk” associated with them being wrong than, say, a theory on the extinction of dinosaurs or obscure models built around Phosphorus 31 NMR spectral properties. (see the article by Hanson about ‘hate’ and economists).
    My current line of thought is that “Security” (or Information Risk Management if you’re so inclined) suffers similarly because of the perceived probable impact – not only in *not* addressing the risk because of unplanned cost increases, but just the act of addressing the risk is personally painful. This is an organizational behavior problem, and that’s a discipline that we’re just not that good at yet (possibly because we’ve dons so poorly on the risk thing).

  • Rick says:

    There is no surprise in this comment. And in fact, I become more inclined to the idea that Information security is part of the operational risk domain and thus a lot of similarities.

  • yes, the basel ii accord is a good example of how information technology, financial and operational risk can be related to each other and managed together.

Comments are closed.