Pi day

The awareness messages relating to 'security innovation' are slowly crystallizing, prompted in part by the thinking behind this month's evolving risk-control spectrum diagram:

The diagram shows two overlapping bands of risk:

• On the one hand, failing to adopt and exploit novel technologies or other forms of control constitutes missed opportunities to the organization, depending on how often and to what extent that occurs.   
• On the other hand, pressing ahead too quickly with immature technologies etc. increases the risks of failures and costs arising.

Both those risks can be controlled through suitable strategies, policies and approaches concerning the management of information risks. A highly risk-averse organization is likely to be conservative in its choice of security technologies, for instance. While it may avoid the dangers of getting into unfamiliar territory, it may also be missing out on viable business opportunities and failing to address information risks. Conversely, a more gung-ho management might take advantage of new opportunities (such as quantum cryptography) but suffer as a result of unanticipated problems and maybe outright failures of novel approaches since beyond the 'leading edge' lies the 'bleeding edge'. 

I'm hinting that organizations should probably take a balanced, considered approach, hopefully avoiding or at least being prepared for and mitigating those extremes.

There's another issue though, relating to those high-end information risks that can blind-side an unprepared, blinkered or overly conservative organization. I'm talking here about novel threats or exploits, perhaps entirely new classes or modes of attack or significant but as yet unrecognized vulnerabilities and impacts. If the organization doesn't spot and respond appropriately and promptly to them, that could potentially be a catastrophic failure of information risk management.

In the course of using and expanding upon that and other diagrams in the awareness briefings and seminar slide-decks, we often make changes to the diagrams - in other words this is an iterative development process - DevOps you might say ... which fortuitously reminds me of another security innovation theme to bring up in this month's awareness module.

PS  Happy pi day. I hope you enjoy the tangents.