• ⇤
• ⇽
• ≡
• ⇾
• ⇥

a risk practitioners uprising

the journal of Michael Werneburg

twenty-seven years and one million words

I took a couple of vacation days to go to Minneapolis and join the third annual conference of the Society of Information Risk Analysts, an interesting group of risk practitioners that is putting together what seems to be not exactly a people's uprising but a practitioners' uprising in the information risk management field. Here's the first blog post they put out; it has a lot that resonates with me. In particular, this:

"If we lived in a world lacking an evidence-based approach, we’d get a bunch of frameworks from really impressive-sounding groups saying they’ve got the answer. We’d see a flood of similar-but-unique “best” practices and standards that claim to work everywhere. To top it off, we would be overwhelmed with failures (and successes) in all shapes and sizes and we’d struggle to recognize their significance. Meaning, if we lived in a world lacking an evidence based approach, we would be slave to the loudest voice, the scariest story, or the catchiest magazine article."

(Spoiler alert: we live in a world lacking an evidence-based approach.)

That blog post was nearly four years ago (and I realize that I'm coming late to this party), but the intent expressed in that post is really happening. What I joined in this conference was a revelation. They had three authors who are names in this narrow field, and a total of fifty participants from around the continent gathered to discuss this problem. Several of the speaker talked about serious math and modelling matters, and others talked about critical failures in the way the business is otherwise conducted (one even spoke on why CISO's are so a-social). One speaker presented a paper on exactly the kind of work I do - managing risk at a technology provider in a regulated industry.

Threaded through all of this was a common understanding that there's no use even engaging the main "authorities" on risk because of the lack of evidence that any of the solutions espoused by those authorities works at all. Against a regular drum-beat of record security breaches and new technology exploits, and against in the face of failures of all known standard frameworks, this group is starting afresh. They're even writing their own "body of knowledge" about how to do information risk management that actually works. As with the Web 1.0 boom, and spending the financial crisis watching an investment bank melt down, I once again have the sensation that I've been present where something is going on, and I'm grateful for the opportunity.

This was easily the best conference I've attended. Not only was it fascinating, but it was brilliantly planned and I found myself quite comfortable approaching people and engaging through the two-day event. Tellingly, I met a couple of other attendees who were there like me, on their own dime and using up their own vacation time. For both of them, it was not their first time doing so. Next year, it won't be mine.