X
Tech

Akamai's chief security officer talks psychology behind risk management

Akamai's chief security officer suggests that risk management isn't a science, but possibly an art form at the 2013 RSA Conference.
Written by Rachel King, Contributor
securityperson

SAN FRANCISCO -- To get better at risk management, it might require some psychology into how people feel and react to risk, according to Akamai's chief security officer Andy Ellis.

Speaking at the 2013 RSA Conference on Thursday afternoon, Ellis argued that as humans, we're very good at telling stories -- but often times we don't tell ourselves the truth, which hampers risk management.

"Fear motivates the back of our brain," Ellis remarked in comparing herding cats to improving risk management within organizations.

"The reality is that organizations think they can get away with a lot -- and they want to," Ellis asserted.

Ellis cited a theory called risk compensation in which there is an amount of risk that people are willing to tolerate -- and even seek out occasionally.

"The reality is that organizations think they can get away with a lot -- and they want to," Ellis asserted.

Ellis argued that even if security professionals warn company executives about a potential hurdle or risk, the business is going to go forward anyway, retorting that the suggestion is either arcane or that security experts didn't warn them enough.
"Either way, you lose," Ellis lamented.
Ellis acknowledged that there is a lot of conflict here, admitting that our goals should always be to increase value for our businesses.
If you work at a for-profit company, Ellis said this is fairly easy to measure at a company-level. But within the organization, he said that's a little more difficult and more of a "gut check."
"They think of us an investment against future risk, and if the investment isn't materializing, they think 'Why should I pay for it?'" Ellis said, describing this is a "race-to-the-bottom" mentality.
For startups, Ellis suggested this is actually appropriate and reasonable for their business. But for enterprise companies, it's a different story.

This is where risk management becomes more of a delicate art form rather than a science, according to Ellis.
For instance, Ellis advised that one approach to conveying the importance of potential risks is to "speak in their language," altering the strategy when addressing sales reps or C-level executives.

Ellis declared, "Make sure that when you present someone with a risk, you have something you can do about it."

At the same time, security professionals need to know how to play their cards right. Ellis argued that if you try to scare someone about a risk that won't materialize, they'll stop listening to you about the ones that will.
At some point, Ellis continued, risk comes down to something that needs to be manageable.
Ellis declared, "Make sure that when you present someone with a risk, you have something you can do about it."

More from the 2013 RSA Conference on ZDNet:

Editorial standards