Tag Archives: communication

Socializing Internet of Things risk

IoTRisk-g

adding risk from IoT doesn’t mean the existing risk to an organization conveniently disappeared …

There is a lot of conversation regarding security, privacy, safety and other issues regarding the ongoing proliferation of the Internet of Things (IoT). While IoT promises many helpful and useful things, concern about how it might (and will) be misused are valid. However, there are more than a couple of challenges to addressing this new source of risk to an organization.

Lions and Tigers and Bears

It’s easy for anyone to call out things that could happen with the IoT growth. Medical devices can be hacked , SmartMeters can be compromised and steal privacy information, the utility grid is widening its attack surface, drone video is intercepted and hacked , and countless others . Long live fear, uncertainty, and doubt, right?  While highlighting examples of IoT issues is important, the larger and more difficult thing for an organization to do is to communicate risk around IoT in a way that allows it to be managed.

Communicating IoT risk in an organization

Within an organization that already manages risk in some form, communicating and socializing the idea of IoT risk can be a challenge. There are at least two broad components to that challenge:

  • IoT defies traditional classification/categorization and is still little understood. It’s hard for people to wrap their heads around it
  • the other risks that the organization faces are still there. They haven’t gone away and IoT risk only adds to that

In order to begin to manage IoT risk, management must have some vocabulary for it. IoT is still new, its effects largely unknown and likely emergent, and precedents and analogies are few. We need to surface some language and concepts for it so that it can be discussed.

Another significant aspect of communicating IoT risk issues is that the other risks that an organization already faces — safety, liability, financial loss, reputation damage, technology challenges, business competition, and many more have not gone away. These risks are still there. We are asking senior management to make room in their list of existing risks that they are wrestling with to add yet more risk.  And possibly substantially more risk. Nobody wants to hear this.

Because of this, how we communicate these security, privacy, and risk issues is important. We are competing for a small slice of available cognitive bandwidth, so we must use this opportunity to communicate as well as we can.

Lather, Rinse, Repeat

If you either want to or are tasked with communicating IoT risk in your organization, I would suggest starting here:

  • find out what other risk the organization is already working with. Is there an annual report? Is there someone in the know in your network?
  • identify places where IoT is already in your organization or where you expect it
  • use the language of managing existing risk in your organization to begin to talk about IoT risk. If you have existing IoT risk examples, describe them in traditional risk language for your organization
  • repeat

A key to this communication is to get some IoT risk concepts out early. Give management some language to use to reflect on IoT risk and to discuss with their peers. It’s also important not to be heavy-handed in the approach. Yes, IoT risk is important, the impacts potentially very high, and the opportunities for abuse many, but the other existing risks that an organization faces haven’t gone away and they still must be managed too.

Metaphors Amuck for CyberRisk

Nagasakibomb

Nagasaki, Japan 1945

PW Singer wrote a great piece for the LA Times last month, “What Americans should fear in cyberspace.” .  In the article, Singer drives home the point of the dangers and harm done of equating risks in cyberspace with historical physical and kinetic events such as Pearl Harbor and using language borrowed from the physical space — weapons of mass destruction, Cold War, etc.

By using such language, such poorly contemplated metaphors, actual risk is not communicated. Worse, misinformation (aka statements-&-proclamations-that-are-wrong) is the thread. Singer points out that instead of educating, we fear monger.

In my opinion, one reason for fear mongering with pithy armageddon-esque descriptions instead of providing education is two fold:

  • it is easier to fear monger than it is to educate
  • fear mongering titillates and sells advertising

None of this is to say that there is not a real challenge in communicating risk. There is a real challenge. As a society, we don’t have a basis for understanding this kind of risk. It’s much too new. In the shipping, financial, some health, and even sports industries, there are decades or centuries of actuarial data to work with. This industry has at most two decades, but even that is not terribly useful given the rate of change of the ecosystem and attack types.

Singer suggests studying other examples of how society has handled new (massive) ideas such as the story of the Centers for Disease Control and Prevention in public health.  This seems like a great idea. (Right now, I wish I could think of more).

“The key is to move away from silver bullets and ever higher walls … “

Singer goes on to say that cyberrisk is here to stay and needs to be viewed as a new perennial management problem. Further, we need to acknowledge that attacks and degradation will happen and we need to plan for this. Planning for this and not wishing it away is building resilience. This, I believe, is the key. And with that enduring problem come the hard decisions of dedicating resources — whether from company revenue streams or ultimately taxpayer funds.

What metaphors can we use to better educate without fear mongering? How do you think national and business resilience should be funded?

[Image:Wikimedia Commons]

IT Risk Management Lessons Learned

From Tom Scholtz’s presentation at Gartner Security & Risk Summit 2013 on lessons learned in IT Risk Management:

  • Understand that there is a limited appetite for risk management as a topic by business users (ie, don’t overdo it)
  • Ideally, risk assessment is performed on business processes (vs IT assets or services)
  • Risk interpretation is personal — there is no correct answer
  • Don’t try to use only one risk assessment method for all assessment scenarios — one size does not fit all
  • Don’t use security & risk operational metrics when communicating risk to leadership — convert them to business objectives
  • Risk affinity for individuals and organizations changes over time
  • In many IT risk cases, quantitative risk analysis is impossible (because of lack of relevant actuarial data)
  • In the quest to simplify, don’t try to roll up multiple independent risks into one metric
  • Always link risk management activities to business objectives
  • Focus on risks that we can do something about

Finally, while possibly an unpopular sentiment amongst some practitioners, risk should be treated more like an art than science, where the focus is on gaining and documenting experience* and continuous improvement.  *(See my post Inverting Sun Tzu).

Companies in the long tail & information risk

I contend that at least half of the companies in the US and other industrialized countries are critically overexposed to IT & Information Management risk and that this population of highly vulnerable companies is primarily compromised of medium and small sized companies, aka SME’s (Small and Medium sized Enterprises).

The problem is that the techniques and approaches in the fairly fledgling field of IT risk management usually are developed from or apply to very large companies that differ significantly in scale from SME’s.

Often the IT risk management techniques envisioned for large companies don’t scale down to SME’s. For SME’s, quantities of analytical data, staffing, operational bandwidth are all in short supply.  Also, because of their smaller size, impacts such as total dollar loss from adverse information events such as hacking, malware, fraud, etc are usually lower than that of large companies and compromises, breaches, disclosures can be less newsworthy per event.  However, there are a large number of small and medium size companies.

It turns out that company sizes in industrial countries follow the Zipf distribution where a few very large companies coexist with a lot of much smaller companies.  This is a similar distribution to what Chris Anderson popularized in his Wired magazine article The Long Tail in 2004.  For example, Anderson talks about the record industry historically focusing on the revenue generated from hits (few in number but large in revenue) and missing the fact that there were many non-hit songs generating substantial revenue when viewed in aggregate.  Similarly, there are a few really big companies and a lot of smaller companies.   This high number of smaller companies (like the number of non-hit songs) is the part known as the long tail.  And this is the part suffering the overexposure to information risk because of a lack of tools, methods, and shared approaches between companies.

longtailgraphic3

The challenge is that many of the information risk management techniques and processes used by the relatively few very big companies don’t work well for smaller companies.  This is due largely, but not entirely, to resource constraints of smaller companies.   Staff in smaller companies frequently wear multiple hats and are eyeball-deep in sales, innovation, marketing, infrastructure development, and management of risk is often down the priority list.

As a whole, we end up with part of the population, the few large companies, with reasonable IT risk management capabilities and the other part, the medium and small companies, with poor IT risk management capabilities.

For the sake of argument, say that half the working population is in the few very large companies and the other half is in many small and medium size companies.  Oversimplifying a bit, this means that half of the working population are in companies able to manage risk and the other half are in companies that can’t.

What can be done to enhance the capability of that half that currently can’t manage information risk effectively (or at all)?  What can we do to provide small and medium sized companies risk management tools that are pragmatic and implementable? We need techniques and mechanisms and to share learned experiences in performing risk management in small and medium sized companies.

Do you work in a small to medium sized company? How do you address IT risk management? What other reasons do you see for lack of IT risk management in medium and small sized companies?