An evolutionary revolution?


"Mitigation and adaptation are required together to reduce the risks and impacts of climate change, including extreme weather events. Mitigation refers to actions taken to limit the amount of greenhouse gas emissions, reducing the amount of future climate change. Adaptation refers to actions taken to limit the impacts of a changing climate. Mitigation and adaptation together provide co-benefits for other environmental and social goals."

That paragraph by Lizzie Fuller, Climate Science Communicator for the UK's Met Office, plucked from another excellent digest of lessons learned from various UK resilience exercises and initiatives, obviously concerns climate change ... but it occurs to me that 'mitigate and adapt' might be a novel approach to information risks and impacts as well.

Normally, we think, talk and work hard on mitigating unacceptable information risks using Preventive, Detective and Corrective controls. Fair enough ... but our powers are limited, not super, so there are inevitably residual risks, meaning that incidents still occur, despite our very best efforts. In relation to information or cyber security risks, specifically, we experience minor 'events' all day every day, with more serious newsworthy 'incidents' most weeks and headline 'disasters' most months. We may not have had a true 'crisis' yet, but it's surely only a matter of time (and semantics!).

... so ... in addition to those PDC controls plus the usual resilience, recovery, contingency and continuity approaches, I'm left pondering Lizzie's comment. 

Is 'adaptation' an additional form of risk treatment, or a variation on the conventional 'avoid, reduce, share or accept'?

Clearly we do 'adapt' to the ongoing events, incidents, disasters and crises in various domains. Speaking as a former (lapsed? Reformed?) geneticist, adaptation is an integral part of life. Any truly serious occurrence ends some lives while leaving others harmed or unscathed, an entirely natural process that results in a reduction in the prevalence of characteristics that caused or failed to prevent deaths and an increase in those that promoted or permitted survival. The effects may be minor but, given sufficient occurrences over time, they accumulate in the process known as evolution. That is, provided the occurrence is not existential, one-up from critical.

In the field of information risk and security, we learn by reading, thinking and doing. We pick up and sometimes share good practices. We advise and encourage each other, try things out, figure out what seems to work, do more of that and less of the other ... and generally muddle through. Is that 'adaptation'? Is the field 'evolving'? I believe so. I've certainly noticed substantial changes since way back when I was a boy. I believe we can do even better though by getting smarter at this stuff.

I'm just not sure how.   Hmmmmmmmmmmmmm ...