Managing certainty
'Reducing uncertainty' is the prime focus of information risk management today. We do our level best to identify, characterise, quantify, evaluate and where possible reduce the probabilities and/or adverse consequences of various possible events.
Uncertainty is an inherent part of the problems we typically face. We don't know exactly what might happen, nor how or when, and we aren't entirely sure about the consequences. We worry about factors both within and without our control, and about dependencies and complex interactions that frustrate our efforts to predict and control our fortunes. We adopt fallback and recovery arrangements, and apply contingency thinking with the intention of being better prepared and resourced for unanticipated situations ahead.
A random comment on LinkeDin set me thinking about the converse: 'reducing uncertainty' is the flip side of 'increasing certainty', in other words information risk management is equally about increasing certainty of beneficial, valuable outcomes such as not suffering the adverse consequences of incidents as often and/or as severely. It's also about increasing certainty in general, which is why we put so much effort into gathering and assessing information, monitoring and measuring things, implementing mitigating 'information security controls' that give us some semblance of control over the risks.
Assurance is a big part of reducing uncertainty. We check and test things, review stuff and conduct audits to increase both our knowledge of, and our confidence in, the arrangements. We seek to identify and tease out potential issues that need to be addressed in order to avoid nasty surprises.
Resilience is another chunk. Building the strength and capability to respond effectively and efficiently to whatever might happen, maintaining critical activities throughout, is a powerful approach that extends from individuals through families, teams and departments, to organisations, industries and society at large.
Thanks to those uncertainties, we are inevitably building on shaky foundations. Our information risk management practices and information security controls are imperfect ... but at the same time they earn their keep by generating more value than they cost, for example by:
- Providing credible information about various situations, allowing us to make rational decisions, prioritise and plan things, allocate appropriate resources etc.;
- Reducing or constraining the problem space where possible, increasing our ability to focus on The Stuff That Really Matters;
- Allowing us to consider and deal with potential incidents in advance, knowing that we will struggle to do so during some future crisis.
Along with assurance and resilience, that added value is clearly a positive, beneficial aspect to information risk management ... in contrast to the rather negative edge on 'reducing uncertainty'.
I'm not arguing that 'increasing certainty' should be our new mantra, rather that we might be more business-like in how we go about what we do, putting more effort into increasing and talking-up the positives and less into reducing and warning about the negatives. In my experience, managers are more inclined to invest willingly in activities that are positioned as and appear to be value-enhancing and beneficial to the organisation, rather than loss-reducing, even though they amount to the same thing in this context. It's all about perception and emphasis.
More carrot, less stick please.