Risk Management and the Martial Arts (or Hoff d. Rothman, KO 1)

OK. So Chris Hoff kicked my ass. Sliced me into little pieces and fed me to the fish. I haven't gotten such a head pounding since... well since the last time I argued with my wife. You get the picture. Read the post here (http://rationalsecurity.typepad.com/blog/2006/07/risk_management.html), and get me the Advil and some towels to stop the bleeding.

A lot of the points that Chris makes are well taken. By way of defense, it's obviously hard to describe the nuances of "risk management" in a 50-word snippet. Clearly a lot of people use terms like "defense in depth" as a short cut for doing real work. But those are the same folks that cheated in high school math. You'll always have folks not wanting to do the work.

What I meant (and clearly didn't get the point across in yesterday's TDI) is that security should be thought of like martial arts. You don't take a newbie (white belt) and stick a thick board in front of them. All they'll get is a broken hand. "Unsophisticated" was the wrong term to describe the inexperience that I referred to. I apologize for that.

Why? Because being able to talk security in the language of business is hard. It's advanced stuff at the brown or black belt level. Maybe Chris doesn't think so, but Chris is an exceptional guy. Most of the security administrators I talk to don't have his intellectual horsepower or years of experience in the coal mine. These folks have a hard enough time making sure the firewall doesn't puke.

I'm clear on who I work for. I don't build my models and position my advice for the exceptional. Unfortunately, it's a relatively small market and those folks don't need my help anyway. My greatest impact is with the "blue-collar" security guy. The poor sap that is just totally overwhelmed every working day of his/her life. That ain't Chris Hoff. And I say that in the most respectful way I know how. Chris is a very very impressive guy when you sit down and talk to him.

Am I making more excuses for mediocre people? No, I'm not saying that to really excel in security you can stay at a level of inexperience or "unsophistication." You can't. Just like if you can't get beyond purple belt in martial arts you should find some other hobby.

Chris thinks: "It does not take any amount of sophistication to perform a business-driven risk-assessment in order to support a risk-management framework that communicates an organization's risk posture and investment in controls to the folks that matter and can do something about it."

I beg to differ. I had to read that friggin' paragraph four times before I even could figure out what he was saying. He is correct in the assessment that even the inexperienced can do many of these things. But they will not be CREDIBLE. You need to make your bones and have some success before you EARN a seat at the table. That's what I mean about "political mojo."

But Chris does hit the nail on the head relative to the process and reality that most people don't know bupkis about business: "You pick a business and asset-focused risk assessment framework and you start educating yourself and your company on how, what and why you do what you do; you provide transparency in terms of function, ownership, responsibility, effectiveness, and budget. These are metrics that count."

I've been in this space a long time and I'd never heard of the OCTAVE framework. Thanks Chris, I'll check it out. I want to be clear that the process that Chris describes is a good one and it's important. I don't want to minimize that.

If there's one thing that can be said about me, I can take a beating. Chris was right in taking me to the woodshed for some ill-advised generalizations and poor choice of words.

The truly successful security people are not "security people" at all. They are business-people that happen to do security. And yes, these folks still have a hard time getting all of the critical initiatives funded.

Chris wraps things up basically acknowledging that most security folks (as pointed out by Farnum, who started this whole interlude) don't have time to go to the bathroom during the day. As Chris says: "It takes WORK. Lots and lots of WORK. And it's iterative, not static." At least, we are all clear on that. I agree that thinking Risk Management is the right thing to do, I just don't think it's the FIRST thing to do.