Security professionals managing risk programs can learn new approaches to assessing risks from a variety of non-security environments.
Related post: How TRAs May Prevent Data Leaks
One recent personal experience serves as an excellent example of how we can learn from new, and sometimes painful, situations.
A beloved family member was on vacation when they fell ill, and had to be admitted to a foreign hospital. The care was exceptional, but our family member's condition worsened very quickly. The diagnosis was terminal, and the time he had left was short.
The medical team charged with their care completed an assessment of the family member's condition quickly − our version of a threat and risk assessment. The medical team determined it was appropriate to airlift the family member back home.
At first, we were upset. How could this team of apparently heartless doctors and nurses dare consider it was safe to fly our family member home? Why couldn't they simply let them be at peace where they were?
The flight was scheduled, and the family member flew home with their spouse. Shortly after they were settled into a local hospital, they passed away with the loss, but the hidden lesson is something I am now starting to understand.
The clinicians at the foreign hospital had enough supporting evidence, from decades of previous clients, to realize that the costs of managing our family member's care would exceed his insurance coverage, and that (based on the risk assessment, or detailed physical examination) our family member would be more comfortable at home in Canada.
It struck me that these clinicians had followed an approach we have used in the security industry while conducting risk assessments.
The more time I spent understanding their approach, the more foolish I felt for simply reacting emotionally instead of trying to appreciate their risk methodology.
I learned some valuable lessons from this chapter in my life and career. While we are learning to become a risk-based profession, we have been collecting meaningful statistics regarding the human body and its response to disease for centuries. They have mapped our genome, developed vaccines we could only have dreamed about decades ago, and created protocols to cure some of our most damaging diseases. The medical profession has continually applied risk management theories against their body of knowledge − comparing how well their risk remediation plans (treatments, vaccines, and cures) have fared against their recognized threats (measles, high cholesterol, and cancer).
We need to keep focusing on a risk-based, business-focused approach to security.
As professionals, we need to continually review our body of knowledge and our past and current understandings of how we assess risks, and how well our remediation plans worked.
I'm not writing about the loss of a family member to earn sympathy, or publicly deal with the loss. I have always been a strong believer in using real-life examples to help our security profession grow into a risk profession.
This was the lesson I found once I got past the loss − he'd be proud I found it.