Risk of Verification -- Applied Wisdom Nugget #3
This week, I was thinking about using a quote about the "burden of knowledge" to stimulate some thinking around managing risk or, more specifically, managing liabilities. Unfortunately, the term is not easily attributed to any one person. In some form, the term has been used by Nobel Laureates, heads of state and philosophers for literally thousands of years. What's more interesting is its use as a foundational element of legal systems all over the world.
For risk managers, this is important stuff. Your company can be found negligent and therefore liable for damages caused either directly or indirectly because of something you either knew or should have known. In such cases, legal systems consistently magnify findings against plaintiffs who are found to be "grossly" negligent.
What does all this mean? In legalese, ordinary negligence is for "want of great diligence" and gross negligence is for "want of slight diligence." Still unclear? So was I, so I called my lawyer and he gave me more mumbo jumbo. Then I called my nephew who is in law school and he said "Uncle Chris, if you should have known something you are negligent - you are liable. If you actually knew and did nothing, then you are grossly negligent - You are $&%!(d".
I get it now. So if you turn on a DLP solution and it generates 1,000,000+ critical alerts a week because there's lots of sensitive information moving around your company, then you are left with obvious 3 options:
- Eradicate the sensitive information that is, by the way, required to run your business
- Hire an army of security analysts to ferret out and address the small number of real concerns
- Shut off the DLP system because if there is one unaddressed misuse in those 1,000,000 alerts that you knew about.. You did nothing... You are $&%!(d
Think I'm being dramatic? This exact scenario was presented to me by the CIO of a Fortune 100 company less than a year ago. He chose option 3 and, not surprisingly, he does not want to be quoted for this article.
What if you buy some fancy new attestation software that will process data dumps of access rights from your key systems and help you identify risks? That's helpful right? Not if you don't remediate those risks. If you don't, then you knew, you did nothing and you are...
A more sensible approach would be to put in place an Access Assurance framework to ensure that the right people have the right access to the right resources and they are doing the right things:
- If your DLP system finds Protected Health Information then bounce it off the Identity Management solution to see if the people who have access to it are clinicians. In most cases, they will be and you've automated away most of the unnecessary work.
- What's the risk of verification if your access certification process finds issues and you can't automate the requisite remediation?
By thinking holistically, you can take an approach that automates away rote work to ensure that you do know what you should know and that you can deal with it efficiently and effectively.
Did you know?
- It's official, Bing is better than Google. When researching "burden of knowledge" I noticed that Bing returned 21,500,000 results while Google returned only 16,300,000. Probably either one would have been sufficient to get me started.
- "Knowledge burdens but wisdom frees one from the burden of knowledge" - Brother Sahajananda, Benedictine monk