Information security expert Jeffrey Ritter says the current risk-management model is irreparably broken
Most information security experts aren't afraid to state bluntly: "We're losing the battle for information security." But then again, we already knew that. Near-daily headlines about the latest cyber-theft or data breach have made that pretty clear to most people.
"It's broken and it's not getting better," said Jeffrey Ritter, author and University of Oxford lecturer. During a keynote presentation this week at InfoSec World, an information security conference, Ritter explained that the current model of information security, based on risk management, isn't working. "Risk Management is dead as a business discipline, we just don't know it yet," he said.
According to Ritter, whose latest book on the topic is called Achieving Digital Trust: New Rules for Business at the Speed of Light, truth is not achieved by managing risk, but rather by calculating trust. “Trust in the data; trust in the sources of data; and trust in the processes with which data has been created and maintained until the moment we call upon the data to do our work,” he wrote in a blog post recently.
Ritter said that by creating a model where we focus more on achieving what he calls “digital trust” rather than managing risk, we will have greater success securing information. “For the Digital Age to survive we must shift from managing the risks of relying on untruth and embrace a mindset in which we value truth and build and achieve trust,” he said.
So, What’s Wrong with Risk Management?
There are two fundamental problems with risk management, said Ritter. The first is that in pursuit of profits, managers push organizations to take unnecessary risks, circumventing risk management. The second is that mangers make risk-management decisions that don’t follow established rules or only partially follow them, and they make those decisions without the full information they need. “We are being asked to make decisions with not all the rules being followed or without all the information we truly need,” said Ritter. In his trust decision model, the established rules are followed every time. “There is no more room for executives to say, ‘frankly, I don’t give a damn,’” he said.
The Business Case
One of the centerpieces of Ritter’s ideas is that there is a great business case to be made for achieving digital trust, which he says is a must to get management to buy in. The first element of the business case is that customers place a “trust discount” on products or services that they don’t fully trust to work as effective as providers promise. Increasing trust in them can decrease this trust discount, earning more for them. “You really can create new wealth with security,” said Ritter. Another element of the business case for digital trust is that trusted information can move much faster. “The closer you get to trust the faster information can move,” said Ritter. He calls this the “velocity principle.” “The velocity of information is proportional to the transparency of its governance.”
To be sure, it’s unlikely that managers will be abandoning their risk-management models anytime soon. But Ritter raises some excellent ideas that are likely to have a big influence on how we think about securing information.