William H. Saito, President and Chief Executive Officer of InTecur, explains how nature is the best example of risk management
Risk management is not new. It is something we are born with. The most basic risk management systems are part of our DNA. We adapt, develop and occasionally improve on aspects of our natural heritage to build resilience. Nature evolves – it changes, it learns, it gets better. This is key to long-term success and one we must embrace.
The same principles apply to Enterprise Risk Management (ERM) as they do to IT security, or any other form of catastrophic risk. The Fukushima disaster in Japan, for example, taught us that most large accidents do not simply “occur”. There are many little warning signs and minor events, which then build up to a critical mass, a tipping point or a perfect storm. These ignored warning signs sometimes precipitate into catastrophe.
Professional risk managers may want to talk about probability risk assessment or Monte Carlo mathematical models, but risk management in any organization – public or private – is a topic fundamentally grounded in the natural world. People usually want to bring together the most brilliant minds in a variety of cutting-edge fields to plan, analyse or defend against some new technology. But, all you really need to do is look at how similar problems are dealt with in nature.
Failing IT security is an increasing and potentially catastrophic risk, but the fertilization of a human egg may provide a solution. Only one sperm is allowed to get inside that egg, and once it does, the doors are closed and locked – even though there are thousands of identical candidates banging on the door, each carrying an identical DNA “key” that should, in theory, grant them access. Talk all you want about biometric authentication – this is one pretty sophisticated security system at work.
The animal kingdom also shows us different approaches to risk management; all are effective for different purposes. Why do some fish swim in schools or mammals herd together? Call it instinct or evolution, but the bottom line is that their risk management “protocols” are an integral part of their being. Of course, individuals on the periphery of the swarm or the herd are more exposed and thus less secure, but this natural “system” is designed to protect the group. The loss of a tiny fraction of its members is an acceptable element in the process of mitigating risk for the group.
Look at how penicillin and other antibiotics attack certain bacteria, but leave others untouched. That is an alternative approach to authentication being offered by biochemistry. Antibiotic resistance is yet another experience we need to learn from. You cannot approach risk management after the fact, or add on “safety features” when a product or a complex system is nearing completion. It has to be built in from the start.
We need to look at the problem differently. We must learn the lessons from a million years of history to anticipate the risks of the future. Some will be disappointed at not finding clear-cut mathematical or even procedural answers to urgent questions about risk and security. However, understanding the right way to approach a problem is often much more useful than getting a quick-fix answer to that problem.
Today’s answers are almost certain to prove unsatisfactory tomorrow, not because the answers are wrong, but because the problems keep changing. Sustainable success in risk management is rooted in an attitude, not a single solution.