Effective security risk management is grounded in real life. This provides an interesting opportunity to take wider analogies and apply them to the security context. Whilst this may appear somewhat gratuitous, I claim some validity on the basis that this context is so important to security.
I have a rather superficial but useful personal theory that I call the threads of life. It helps me make sense of the confusing and contradictory situations that life gives us on a daily basis.
The ancient Greeks believed that the three Fates sat spinning the threads of life for each mortal. They held a fatalistic view that our lives were, to a great extent, predetermined by these three aged spinners of fate. I’m not sure that I agree with our Greek forbears, as I believe we can and do affect our own destinies, but I do find the thread analogy useful for a number of reasons.
As I see it, we all throw out threads (such as opportunities for synergy) as we move through life. We are also surrounded by threads thrown out by other people and organisations, indeed by life itself. These threads may be meetings, visits, projects ar a range of other actions or events, they may even be situations in which we find ourselves. My writing this piece is a thread, as is your reading it. Where threads cross, we may have potential for an opportunity.
Now, a number of things are necessary for a crossing of threads to develop into something useful:
Someone needs to see the threads and the crossings, to see the potential and be in a position to explore it and develop it. We all have different abilities. Some people are good at putting out threads, some are good at spotting crossings or identifying potential. Some are good at developing opportunities, and some have the ability to sift out those that are worthwhile. None of us are good at everything, though all of us can develop.
What has this to do with security? For me, it is simple..information security is all about shaping our own environment and creating a space that is easy for us to defend but hard for others to compromise. If we see security management as a process whereby we actively put out threads that enhance our safety and control, whilst weakening our adversaries, we enhance our mastery of our chosen area of responsibility. We need to remain vigilant for threads that are useful to us, whether external links or internal opportunities to do things better. Crucially, there is one mere thing… If we are tuned to watch for threads that an adversary may put out, then we have a valuable intelligence channel and may be in a stronger position to help us seize the initiative and control our environment.
The moral, if there is one: We must be proactive in creating and seizing opportunities to manage our risk picture in an active way. If we fail to do this, then someone else will and our destiny will follow someone else’s agenda!
A range of other security analogies can be found at the analogies project website. http://theanalogiesproject.org