The secret sauce for IT to Manage Risk – You would never guess it!

Over the last thirty years, the prevailing belief has been that process, technology and technique, manage risk. While it is true that processes and engineering & technology controls play a significant role in our risk strategy, it is ultimately people that manage risk. The dilemma is that people are very complicated; we don’t always act logically, and we can’t simply be poked once to produce the desired outcome. We have all sorts of quirks that persist in our heads and gut responses. When presented with uncertainty this will cause us to act or behave differently. Sometimes it is just raw emotion that drives our actions, choices, and responses. For example, road rage – compliant and safe on paper, but a major risk to others at the moment. If we do not factor people into our risk models, it will translate into a process that is very ineffective.

So how do we get our people to manage risk more effectively?

Well, it all starts with first educating the individual and group to recognize and understand the risks that they come across – overcoming risk blindness. From here there is an opportunity to shape their attitude towards those risks, which in turn affects behavior; and behavior shapes the risk culture of the organization.

An industry that illustrates risk management through people the best, in my opinion, is the health and safety programs. For instance, the construction industry (this is mainly because failure is quite tangible and visible). Companies with a strong risk posture operate with regular safety orientations, safety training, daily hazard assessments, incident reports, near miss reports, daily safety toolbox or team meetings, safety meetings, safety audits, etc. The purpose behind the frequency and repetitiveness of this process, which is to help the individual and group identify, assess, and manage the risks they see – or in other words, take ownership of the risks they encounter. The successful companies (which can be large or small) are those who strategically use the near miss reports, or reports of an incident that did not cause damage or injury but could have resulted in one.

Individualized Reports

These reports tell a story and allow for a tailored discussion with individuals and groups to help overcome the frequency and flawed thought process leading into the near miss. Now some companies in the construction industry will argue that they have all those meetings and forms and still have a weak risk posture. Well, the problem is they are going through the motions of safety compliance, but have failed to reach the individual.

Full disclosure, I think this industry is a leader in risk management it is also rife with bureaucracy. The system can get caught up in the process of compliance. Creating a false sense of security and can lose the spirit of the main objective – keeping people safe. Again it is people that manage the risk and not the process.

The notion of people managing risk should not be a surprise in the IT world. As many technologists are employed just to manage the aftermath of end users, despite the technology solutions in play.

We need to do a better job at seeing and understanding where people are coming from. The psychology of human thinking, and more importantly how bias plays a role in risk assessment. This will make our processes way more effective – and yes, keep our IT people sane.

Teachable Moment to Employees: Enterprise Cyber Leaders: IOS 9.3.5

If not for an ordinary, non-technical computer user, the urgent IOS 9.3.5 security patch of 25 August 2016 would not have happened.  Researchers assert that hackers have been exploiting this zero day vulnerability in the wild for over a year.  Yet, the vulnerability was not detected via technology.  A pro-democracy activist, Ahmed Mansoor, received a text with a link he considered suspicious and sent it to experts to analyze.  Anecdotes such as this are growing in number.  Motivated, informed users are spotting what technology misses, and at the beginning of the kill chain. This is what I like to call a teachable moment.


phishingTeachable Moment  

Enterprise cybersecurity leaders can use stories such as this teachable moments to better prepare for future scenarios. Cybersecurity is ultimately a people problem.  Training alone motivates few to change and to learn.  ‘Teachable moments’ bind a relatable or actual experience to what otherwise seems an estranged abstraction to employees.   They also yield plausibility to the notion that they too can make a meaningful impact.  Again, cybersecurity is a people problem, and people react to change much like Newtonian physics – unless motivated by an outside force, they tend to stay put..


This particular story has many different interesting elements that it is difficult to stay focused on just this one ‘teachable moment’.  Here are a few essential highlights you can point out to your employees:

  • An ordinary, non-technical user received a text with a link he considered suspicious
  • Experts (Citizen Lab) analyzed it (also analyzed by LookOut)
  • The researchers found that the link exposed iPhone/iPad users to scary malicious code that exploited a vulnerability unknown to Apple
  • The researchers reported their findings to Apple
  • Apple released the 9.3.5 security patch within weeks
  • We are all a little safer

Employees can make a meaningful impact, without their becoming an expert and without buying them expensive tools with steep learning curves.  But this won’t happen without motivating them.  Why not use this IOS 9.3.5 security patch as a teachable moment?  Mention doing so at your next board of directors briefing on cybersecurity risk management.  Motivate employees to be human sensors instead of liabilities.