Risk Management and Information II

I really wanted to write this sooner but I am on a project currently.  In my previous post I raised some questions for Marco concerning three points of his post (see Risk Management and Information).  He responded addressing each one.  Concerning my criticism about “unstructured data” he chose to accept the use of the term in its connotative usage.  I will make one final post on “unstructured data” and it’s  the last thing I will say about it.

Marco goes on to reference a paper he and fellow researchers have published, and more than anything else, after I read it on the plane, the context for his post was clear and it eliminated any misunderstanding.  If one has an interest in Identity Analytics, it is worth reading.  They look at using mathematical modeling to provide guidance, predict the impact of policy choices to enable better decision making.  At the end of his post, he asks me the following:

It would be of some interest to the readers of this blog if this statement could be elaborated (specifically in the space of IdM and information management) along with providing some recommendations/input/directions (hopefully beyond having to hire a consulting company.

I will attempt to answer that question while staying clear of methodology.  There are obvious constraints I have in my current position.  Personally, if I was independent I would publish the entire thing for one very simple reason.  Ideas are easy, execution of ideas difficult.  Twelve people would read it and the majority  would fail to implement it properly.  This is the way the world works. Great script a movie does not make.

Before one looks at information in all it’s forms, what is purpose of risk management?  From my perspective it’s taking the knowledge that one has about how the world works and translating that into prudent decision making where they hope success is greater than failure.  In business as in life in general, there is nothing more important than proper decision making.  The entrepreneur, the executive in a large corporation will both make decisions with less than perfect knowledge, some good, some bad.

So in order to make prudent choices and decisions, businesses need an understanding of both their exogenous and endogenous risks across the entire value chain.  The determination of risks neither precedes or succeeds the setting of business goals, but rather is temporally concomitant with goal setting.  Business goals are set with feedback from an existing dynamic environment,  and as the environment evolves,  the risks evolve, and the identification of changes in  those risks should (but frequently don’t) act as a negative feedback loop to activity.   The distribution of risks themselves, can be broadly placed into two domains, those that exhibit a Gaussian or normal distribution and those that are scale free or follow a power law distribution.  It’s not always easy to know which one, one is confronting.  Upper and lower bounds could be based on insufficiently small sample sizes.  Errors in decision making, even small errors in scale free networks can have a devastating consequences; just ask the former employees of Bear Stearnes.

Businesses need access to knowledge that will allow them to innovate, create and make prudent decisions.  Some of this knowledge confers a competitive advantage and some of it does not.  As I said in my previous post, the first order of business is to classify the information we have.  If we have not determined the relative importance of this information we do not know what we need to protect.  One could easily find themselves like a mad reductionist historian satisfied to study the stains on the library wall while genuine knowledge gathers dust on shelves.  One must confront the problem of scarcity which concentrates efforts into protecting only the priority areas.  It is not possible to mitigate every risk to the enterprise.

The arrival of specialized information security practitioners into many corporations came with the advent of the the internet.  The corporate fortress gave way to a walled city.  In many companies information security has nothing to do with explicit risk management.  It’s effects lower broader risks in  a piecemeal fashion.  Many infosec personnel just watch the border or set toothless policy.  It wasn’t until legislation forced changes that many companies developed real processes.  Companies who are not impacted by legislation continue with sloppy practices.  I see it all the time.

Given the foregoing, before one looks at sophisticated controls of information, it should be obvious that there is a lot that can be done better.  Assume for the sake of discussion, that the corporation has identified its external and internal risks across the value chain, it’s risk processes are aligned with goal setting,  it has proper task organization, and it has structure that permits enterprise risk management.  What should one do to protect and control their information?

I will continue this in my next post; given the length of this one.

2008-09-16 – edited the opening to clarify some ambiguities.