Posted by Chris Sullivan - VP Customer Solutions on Tue, Nov 03, 2009
This week, I was thinking about using a quote about the "burden of knowledge" to stimulate some thinking around managing risk or, more specifically, managing liabilities. Unfortunately, the term is not easily attributed to any one person. In some form, the term has been used by Nobel Laureates, heads of state and philosophers for literally thousands of years. What's more interesting is its use as a foundational element of legal systems all over the world.
For risk managers, this is important stuff. Your company can be found negligent and therefore liable for damages caused either directly or indirectly because of something you either knew or should have known. In such cases, legal systems consistently magnify findings against plaintiffs who are found to be "grossly" negligent.
What does all this mean? In legalese, ordinary negligence is for "want of great diligence" and gross negligence is for "want of slight diligence." Still unclear? So was I, so I called my lawyer and he gave me more mumbo jumbo. Then I called my nephew who is in law school and he said "Uncle Chris, if you should have known something you are negligent - you are liable. If you actually knew and did nothing, then you are grossly negligent - You are $&%!(d".
I get it now. So if you turn on a DLP solution and it generates 1,000,000+ critical alerts a week because there's lots of sensitive information moving around your company, then you are left with obvious 3 options:
- Eradicate the sensitive information that is, by the way, required to run your business
- Hire an army of security analysts to ferret out and address the small number of real concerns
- Shut off the DLP system because if there is one unaddressed misuse in those 1,000,000 alerts that you knew about.. You did nothing... You are $&%!(d
Think I'm being dramatic? This exact scenario was presented to me by the CIO of a Fortune 100 company less than a year ago. He chose option 3 and, not surprisingly, he does not want to be quoted for this article.
What if you buy some fancy new attestation software that will process data dumps of access rights from your key systems and help you identify risks? That's helpful right? Not if you don't remediate those risks. If you don't, then you knew, you did nothing and you are...
A more sensible approach would be to put in place an Access Assurance framework to ensure that the right people have the right access to the right resources and they are doing the right things:
- If your DLP system finds Protected Health Information then bounce it off the Identity Management solution to see if the people who have access to it are clinicians. In most cases, they will be and you've automated away most of the unnecessary work.
- What's the risk of verification if your access certification process finds issues and you can't automate the requisite remediation?
By thinking holistically, you can take an approach that automates away rote work to ensure that you do know what you should know and that you can deal with it efficiently and effectively.
Did you know?
- It's official, Bing is better than Google. When researching "burden of knowledge" I noticed that Bing returned 21,500,000 results while Google returned only 16,300,000. Probably either one would have been sufficient to get me started.
- "Knowledge burdens but wisdom frees one from the burden of knowledge" - Brother Sahajananda, Benedictine monk
Posted by Chris Sullivan - VP Customer Solutions on Tue, Oct 27, 2009
With 34 successful books and decades as a regular contributor to rags like WSJ, HBR and The Economist, many regard the late Peter Drucker as the most influential thinker on management and leadership in modern times.
As a slick communicator, Drucker was very fond of saying that "If you can't measure it, you can't manage it."
Think about that for a second, "If you can't measure it, you can't manage it". Should we have been thinking this way about mortgage backed securities?
- With traditional mortgages, originators make and service their own loans. The service provider knows the borrower and takes care to ensure that the borrower has the ability to repay because if the don't, they take the loss. It's also worth noting that there's not much leverage. The originator is limited in how much they can loan by their own deposits.
- With the mortgage backed securities (MBS) era that began in the late 1970s, providers pool individual loans by the thousands and convert them into bond like instruments that are floated to investors as claims to principal and interest. Selling these assets means that the originator has more cash to make more loans. The resulting leverage and liquidity is very seductive to the original provider but the new provider and the real customer can no longer see each other so you can't manage it. To complicate things, these new providers also want leverage and liquidity so they abstract their securities yet again into even bigger pools and sell them to even bigger investors (like the Chinese government ;). No one can see anything but we have lots of leverage and liquidity so everyone is happy until....
- Until some of those individual mortgages fail. With all those layers of abstraction it is impossible to separate toxic assets from good ones so investors stopped buying, which seizes capital markets, so no individual or business can get a loan... and you find yourself in the worst economic down turn in 80 years.
Drucker would have said that this leverage & liquidity was the opiate that led everyone to abandon transparency and reason and, ultimately, to our collective doom. He would have said that a system like this where the service providers deliberately abstract the actual services in a series of layers, each of which might be repackaged and resourced to a different provider until the customer and the provider have no traceable connection to each other is a disaster in waiting. He would have said that... Wait.. Am I thinking about MBSs or cloud computing - I honestly can't tell.
I can tell that the insightful and pragmatic Drucker would have made a great CISO. He would have worked tirelessly to put in place an effective framework for information governance, provisioning and access compliance before moving aggressively into the cloud so that, when his company did, they could maintain transparency and control and still get liquidity and leverage.. And he would still have his job next year ;)
Did you know?
- In April 2009, the FBI raided 5 data centers in an attempt to gather evidence related to an ongoing fraud investigation. As part of these raids, they physically seized computers and storage for dozens of companies because they were co-hosted - The action effectively shut them all down until the evidence was processed.
- "Computers have enabled people to make more mistakes faster than almost any invention in history.... with the possible exception of tequila and hand guns" - Mitch Ratcliffe