Fail fast, fail often
'Fail fast, fail often' is the creative idea that businesses (or business units, departments, teams, projects or even individuals) can deliberately push the envelope, innovating and taking chances (knowingly accepting some risks) to the point that they are prepared to fail.
'Fail often' is about being well-practiced at dealing with failure, having the appropriate arrangements in place, and responding positively - bouncing back on the front foot rather than being knocked back and landing in a heap, nursing their wounds. It's certainly not about wanting or trying to fail, nor being inept, incompetent or reckless - far from it. It's about consciously and deliberately choosing to get into some risky situations for sound business reasons, based on information and projections about the risks and opportunities, the costs and benefits. That takes a mature approach to risk management, business continuity management in particular. More than simply accepting that shit happens, it involves being or getting ready to deal with it, and having the fortitude to press ahead anyway.
Those last two clauses are linked by the way. 'Being ready for whatever may happen' supports 'pressing ahead anyway' - it's assurance. It's the reason fast cars have good brakes. Would you hurtle if you didn't think you could stop smartly?
'Fail often' also implies taking bigger/more chances where the consequences of failure are lower - little fails are dealable-with. Total balls-out disasters are organization-, career- and maybe life-threatening. The point is to gain experience and become well-practiced under relatively limited or controlled conditions before heading out on to the highway in your brand new Bugatti.
'Fail fast' means spotting (at the earliest opportunity) when things look like they are going tits-up and dealing effectively with that developing situation to forestall and either avoid or minimize the damage, rather than failing to notice and respond both in good time and appropriately. This is another angle to risk management. It's mostly about situational awareness - spotting the little dog or kid about to run across the road, or the concrete lorry swerving desperately to avoid it. Knowing how to respond is another part of it.
Security awareness supports both 'fail fast' and 'fail often' ... or rather, given the right approach, it can do:
- Being more aware of the things that might possibly go wrong makes managers and other business people and advisers more able to plan and prepare for them - and more likely to spot them coming (just as the driving instructor says "Watch out for kids" near a school or playground);
- Having the knowledge and the tools/methods - the competences - to explore and treat information risks improves the quality of decision making and actions. Knowing that there are options, alternative approaches, other possibilities, means less likelihood of being driven down a dead-end street by someone too blinkered to appreciate there might be other routes;
- Being better informed raises the game for everyone involved. Even something as simple as being familiar with terms such as resilience, recovery and contingency gives risk and security-aware managers the advantage over their less clued-up peers. It certainly makes discussion more fruitful, less frustrating!;
- Understanding the wider context gives security-aware people a broader perspective on things, with less chance of literally 'being caught unawares'.
An obvious application of this in the IT/information sphere is agile software development - a suite of methods that aims to make changes to software systems much more frequent, albeit smaller, than through the traditional waterfall approach. There are numerous information risks associated with all software developments, and of course with the systems being developed. There are also numerous ways to deal with those risks. Security-aware people know this and are in a good position to take advantage of the possibilities and shortcuts, while avoiding the potholes. Security-ignorant people risk being taken advantage of, misled, hoodwinked into unwise decisions, led down the garden path and perhaps dumped unceremoniously down the well.
Less obviously, risk awareness supports decisions and actions in a far wider range of situations. I'm a big fan of prioritization as a universal approach, particularly risk-based and value-based prioritization: identify and deal with the most risky, most valuable stuff first and then work your way down to lesser priorities, constantly re-evaluating and monitoring for changes. If at any point you are stopped - maybe run out of money, suffer an incident or experience a dramatic change of circumstances - at least you can say you've secured the big wins already.