Akamai's chief security officer talks psychology behind risk management

Summary:Akamai's chief security officer suggests that risk management isn't a science, but possibly an art form at the 2013 RSA Conference.

securityperson

SAN FRANCISCO -- To get better at risk management, it might require some psychology into how people feel and react to risk, according to Akamai's chief security officer Andy Ellis.

Speaking at the 2013 RSA Conference on Thursday afternoon, Ellis argued that as humans, we're very good at telling stories -- but often times we don't tell ourselves the truth, which hampers risk management.

"Fear motivates the back of our brain," Ellis remarked in comparing herding cats to improving risk management within organizations.

"The reality is that organizations think they can get away with a lot -- and they want to," Ellis asserted.

Ellis cited a theory called risk compensation in which there is an amount of risk that people are willing to tolerate -- and even seek out occasionally.

"The reality is that organizations think they can get away with a lot -- and they want to," Ellis asserted.

Ellis argued that even if security professionals warn company executives about a potential hurdle or risk, the business is going to go forward anyway, retorting that the suggestion is either arcane or that security experts didn't warn them enough.

"Either way, you lose," Ellis lamented.

Ellis acknowledged that there is a lot of conflict here, admitting that our goals should always be to increase value for our businesses.

If you work at a for-profit company, Ellis said this is fairly easy to measure at a company-level. But within the organization, he said that's a little more difficult and more of a "gut check."

"They think of us an investment against future risk, and if the investment isn't materializing, they think 'Why should I pay for it?'" Ellis said, describing this is a "race-to-the-bottom" mentality.

For startups, Ellis suggested this is actually appropriate and reasonable for their business. But for enterprise companies, it's a different story.

This is where risk management becomes more of a delicate art form rather than a science, according to Ellis.

For instance, Ellis advised that one approach to conveying the importance of potential risks is to "speak in their language," altering the strategy when addressing sales reps or C-level executives.

Ellis declared, "Make sure that when you present someone with a risk, you have something you can do about it."

At the same time, security professionals need to know how to play their cards right. Ellis argued that if you try to scare someone about a risk that won't materialize, they'll stop listening to you about the ones that will.

At some point, Ellis continued, risk comes down to something that needs to be manageable.

Ellis declared, "Make sure that when you present someone with a risk, you have something you can do about it."

More from the 2013 RSA Conference on ZDNet:

Topics: Security, Data Centers, Data Management, Enterprise 2.0, Networking

About

Rachel King is a staff writer for CBS Interactive based in San Francisco, covering business and enterprise technology for ZDNet, CNET and SmartPlanet. She has previously worked for The Business Insider, FastCompany.com, CNN's San Francisco bureau and the U.S. Department of State. Rachel has also written for MainStreet.com, Irish Americ... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.