We are currently engaged in a war to achieve victory over risk. Okay, perhaps "war" is not the right way to describe the status quo. None of us can ever achieve total victory over risk. Any expert will say some risk always persists in any activity we undertake. So instead, let's say we are currently engaged in a battle to control risks. Of course, the real battle is not to control risk, but to prevent the risks from serving as openings through which threats can exploit vulnerabilities. There seems to be no end to that battle; there are occasional wins and even more frequent substantial, continuing losses. So, perhaps we are not controlling risks, just trying to manage the adversities we experience. Oh, that's right, the 21st century is all about risk management.
If there is a battle to manage risk, where are the boundaries of the battlefields? What are the rules for engagement? How do the participants measure success? Indeed, who are the participants?
There are good guys and certainly a lot of bad guys, and the first rule of combat is satisfied—forces are in opposition. On one side, the bad guys train, acquire resources, and execute strategic game plans to exploit risks that persist. On the other side, the good guys fight to foreclose the bad guys from succeeding.
For the good guys to prevail, targeted persistent risks must be managed. The risks have to be eliminated or controlled, or the potential losses that could occur from the realization of the risk need to be minimized (whether by improving detection, accelerating responses, or improving time to recover) so that the vulnerability itself need not be repaired.
Moving along, what is the object of the fight between opposing forces? What are the spoils and treasures gained if the bad guys are victorious in exploiting a risk that was not successfully "managed"? How do the good guys justify the spending on new weapons, defensive resources, and more rigorous security (applied to assets as small as individual bytes of data) if the bad guys acquire the treasures?
The treasures are knowledge and time. The bad guys seek information that is factual, information that serves as tools for access to other information, and improved velocity to acquire information faster and use that information to create new wealth. The good guys want to preserve the information and not lose the velocity that peels away from business processes when information is no longer exclusively theirs.
Guess what? Risk management is not working. The functional and economic losses are increasing; the competitive exclusivity of digital assets is being degraded, and the ability to measure returns on the investments made in security are overwhelmed by the demands for cost controls and new threats and vulnerabilities. The economic losses are measurable in billions and perhaps trillions of dollars.
Yet, we persist in believing that risk management is our only viable alternative.
I take a different view; I believe that risk management must be abandoned as a business discipline. The alternative is to design an entirely new infrastructure, one that advances and achieves digital trust. To prevail, we must re-define the battlefield; we must re-define what we fight for, and we must articulate a way of measuring our success that justifies the investments that need to be made. Marc Benioff, CEO of Salesforce, said in 2015, "The digital revolution needs a trust revolution." In my keynote at InfoSec World 2016, I will offer my manifesto for that revolution. I hope to see you there.
About the Author: Jeffrey Ritter is an external lecturer at three of the world's best universities—the University of Oxford, Johns Hopkins University Whiting School of Engineering, and Georgetown University Law Center. His new book, Building Digital Trust: A New Architecture (2015), offers a new way of thinking about IT and unfolds an entirely new set of tools to empower companies, governments, and industries to design, create, and measure trust in the world's information assets.