Image above is from one of my lighting designs in college.

Post Cambridge-Analytica scandal, Risk has been on the minds of a lot of people, security pros and non-techies alike. More vendors are touting their risk “capabilities” (especially around third-party) and the ones who actually do TPRM are even more bullish about it – and rightfully so. It’s a huge vulnerability area, and one that still is mishandled a scary amount. But, here’s the thing, no matter how shiny your new toy is, without the proper policies and protocols in place, it’s going to dull reallll fast.

I actually love talking to clients about risk – it’s a very personal and involved conversation, in respect to the security realm. It brings multiple business units together: HR, PR, Security, you name it. Every department has something they hold dear that could be detrimental to them and the company as a whole if exposed.

So if it’s so important, why is it mismanaged a lot? Wouldn’t there be a bigger focus on it if there was so much to lose? It’s simple, really. Everyone’s definition of “Risk” is different.

*Note, if you’ve followed me for a while you’ve probably heard me use the following analogy before but I think it’s very applicable to this scenario.

I used to be a lighting designer back in my theatre days and one of the first things I ever learned about design concepts was to NEVER talk about colour. (think Fight Club rules level of importance here.) Now that might seem silly – colour is everything in design, right? Which is exactly why you never TALK about it – you always show it. Everyone’s concept of colour is their own, based on their preferences, biases, experiences, you name it. It leaves tons of room for misunderstanding, whereas when you show it there is no shadow of a doubt what you’re talking about.

Ex.: I was searching for hot pink heels. Just look at the range from a search that is relatively specific.

A lot of consulting organizations will try and take somewhat as a “one-size-fits-all” approach when it comes to risk – which is a big mistake. Even if you are in the same industry, every place has a different mission statement, which leads to different risks.

Let’s take two banks for example. One handles thousands of clients, all of average wealth. Second one handles only a few clients, but with enormous amounts of wealth. Same industry, very different missions.

Bank 1 has a customer whose card was compromised. No big deal – cancel the old one, verify which charges were fraudulent,  send a new card out, on your way. The amount of money lost is minimal in the whole scheme of things.

Bank 2 on the other hand has millions at stake in the event of one of their client’s cards getting compromised. Even if the fraudulent activity wasn’t too large, the trust could be lost by the client which would be a massive loss of revenue.

This is exactly why two different theaters can do the same play at the same time and have two completely different shows. While the text is the same, the actors, designers, crew, the concept.. it’s all unique to that company.

Risk is the lighting design of the security world.

I mentioned earlier that risk is a highly personal conversation with a client – because risk ultimately hinges on the company’s mission. You can choose a firewall for technical specs, but policies are personal.

When you start the production meetings in a play, the Director gives the vision of the play and the designers create the world within those confines. A company’s policies do the exact same thing. The Director in this case is the Mission of the company – and Risk reports directly to it.

Trust me: bad lighting can destroy a show, despite how great the performances are. Lighting creates the atmosphere – it denotes change of time, place, mood… choosing to do a scene in silhouette will make you as an audience member feel something different than if it was fully lit. Even the slightest change in light can help you focus more if it’s a stagnant scene, believe it or not.

Every show has its quirks, and so does every company. Your specific vendors, your customers, your personnel. Your risk strategy is a unique production and should be treated as one.