I've been thinking a lot about the phrase "They don't need to know HOW it works, they just need to know it does". Pretty front and centre in my GRC world. That does kind of rest on two big assumptions: Stuff DOES work and SOMEONE knows how. Having a handle on those things is what I'm focused on for my "Risk Triage - Who needs evidence?" SiRAcon talk. That's one heck of a subtitle given the conference strapline is Data > Dogma, but we work with what is knowable and sometimes clarity about the nature, scale, and location of uncertainty IS the data. Informed haste vs panicked speed is vital. Knowing where to deploy a limited supply of specialists. Doing so at a point in dev or procurement when there's still slack in plans and budgets. Not doing so on day 90 of a 100 day project when someone has their finger over the GO button chanting "Are we nearly there yet?" I've been working on an evolution of prior approaches to rapid risk triage. Something that works in our generative and other AI / ML worlds. It takes a while to sift out what we can ask and get an answer to at the far left bright ideas phases of build or purchase, but feeling timely light at the end of that tunnel. https://lnkd.in/eDhWjxFV We shall see how that lands with my transatlantic risk community. Thanks to a lot of people for inspiring bits of this, sad to not be there in person, but very glad I finally made this RFP submission Thomas Lee, PhD John Marshall Antonia Nicols Dave Snowden Simon Wardley Nick Drage Tim Casey Phil D. Ro-WENN-a Fielding (she/her) Robert Duncan Paulita Pranschke Brian Honan Robin Basham Adam Leon Smith FBCS Stuart Coulson Stuart Winter-Tear Patricia Shaw Gisele Waters, Ph.D. Lisa Wymer, MS Kai Roer Jack Jones Rohan Light
Interesting, specially as rules and regulations are going the exact opposite way in requiring, specifically senior management, to have at least a basic understanding on risks, InfoSec and association between those topics. Both the NIS2 directive as well as the US SEC regulations require senior management knowledge on these fronts. So the “they don’t need to knwo how it works, they simply need to know it does” doesn’t entirely fly here.
Nick Drage
2w
Will this be available to watch online after the event? Or do you plan on giving the talk elsewhere? And best of luck with it 🙂
You'll be amazing - this is going to be sooooo good!
If people would refrain from equating probability with prophecy, it’d be a good start….often, when digging down into the evidence base for risk-driven decisions, one uncovers a LOT more assumptions, anecdata, wishful thinking and cognitive bias than actual evidence. That kind of thing is jolly useful for surviving in nomadic groups out on the savannah, not so much for today’s high-tech, logic-driven (supposedly), precision-dependent world. Risk is a probabilistic extrapolation which requires consistent conditions and historical data to project from - that’s as good as it gets. Anyone who says otherwise is selling something.
Growing Digital Security Start-ups | Connector of People | Mentor and Coach | Evangelist | Consultant | Advisory Board
2wSounds like a really interesting talk and I'm sure you'll nail it. It's interesting how we (are trying to) lead with Comms in cyber. Whether it's scaremongering, selling on fear and doubt, irresponsible disclosure to get the blog out, or trying to beat the bs buzzwords. At least we moved on from padlocks and hoodies! We do a lot of shouting in cyber. I'm guessing not a lot of people ask... Who is listening? Our social media feeds are all our own industry, so are we actually reaching an audience and if we do, do they care? So to your point... Do they need to know how it works? I don't need to know how my dentist works, or my accountant, or my doctor ... Just get the job done. If we want to emulate the Chartered industries, well crack on then. Get fixing some stuff. Stop giving me technobabble and get on with fixing some stuff instead of creating more value-less blinky cyber led dashboards of crap.