One could argue that life is all a series of risks. Sometimes we remain in a state of ignorant bliss. Other times, we are aware of risks and take measures to mitigate it. But sometimes we choose to accept the risk.
Accepting risk is not a bad thing. Quite the opposite. Without risk acceptance, there would be no innovation. The reservoir of great ideas would dry up and bankers would have to make do make ends meet with mere six figure bonuses. Risk acceptance is the grown up thing to do. “We understand the risk, and chose to accept it. It’s the cost of doing business.”
But the question is whether some of the risks businesses accept are “unreasonable”. Like creating a toy that captures children’s information. Such as their name, address, birthday, photo, parents details, and allergies – then taking this information and putting it on an insecure website. We don’t mean a website that is accessible over HTTP minus the S. But a website so insecure that it makes OWASP training websites look ‘military grade secure’ by comparison.
Thankfully though, whenever a company is breached and millions of customer records are exposed – a company can merely shrug and say sorry. All the time while assuring they ‘take security seriously’. Customers don’t like it. Troy Hunt will upload the data to haveibeenpwned.com and the world will grit their teeth and take it. This is the seedy world of corporate risk acceptance. The terrifying underbelly of cyber-actuarial tables (if such a thing exists).
The point is that you can’t innovate and deliver new functionality to customers by building a secure website. Or waste precious time ensuring your hardware is hacker-proof. If you do, your competitors will have leapfrogged you. Not to mention, no customer would want to pay a premium on your offering just because you say it’s more secure than the others.
Or maybe the real question is “how secure do I need it to be?”.
Host Unknown presents: Accepted the Risk (A Risk Management strategy for removing blockers to productivity)
Why waste time remediating when you can simply accept the risk?
@HostUnknownTV bring to life a Risk Manager who gets the balance of risk management very wrong. Are the CISA auditors being inflexible or did Javvad skip a module on his CRISC?
Love it? Hate it? Leave a comment below!
Produced by Mahmoud El-Azzeh @mantheycallmoo
Directed by Mahmoud El-Azzeh
Director of Photography – Caleb Wissun-Bhide
1st Assistant Cameraman – Iustin Filip-Mucenic
Editor – Lara Blanco
VFX and Colour Grading – Timothy Greenfield
Dancers provided by Epika Dance http://www.epikadance.com/
Emiko Jane Ishii
An Elazayan Films Production