Hola, amigos! I know it’s been a long time since I rapped at ya, but I’ve got to pay those bills!

Ok, sorry for the Jim Anchower impersonation.

A couple of things to note before I get down to some new content.

First, thanks to the Security Curve weblog for the kind words. Truth be told, I’ve been subscribing (and enjoying) them for a while now - so it was a very nice surprise to see my thoughts linked in my own RSS feeder.

Do go check out this one from their blog, “The only way to win is not to play“. Very well thought out. I hope Ed and Diana won’t mind if I add on - a game usually implies both offense and defense. We, as risk/security professionals have a big problem, in that we will only EVER be allowed to play defense - which any West Point grad can tell you is a losing proposition. Offense is a law enforcement issue, and if you’re waiting for your local or federal law enforcement folks to hop a ride on the cluetrain, well…

Which reminds me of a great story. The other day I’m checking out sale pricing on big monitors at the local computer super-duperstore when I can’t help but overhear the sales guy claim to an elderly couple checking out some Windows PC that “The firewall will even log the attackers IP address in case you want to get law enforcement involved.”

No joke.

Second, for those risk geeks among us to whom the name E.T. Jaynes draws respect and awe - you’ll want to put the “Statistical Modeling, Causal Inference, and Social Science” Weblog (Catchy name, eh?) in your RSS feeder/reader.

Third, I caught this, “The Death of the CISO” from the Episteme Weblog after catching it on Security Incite. Thanks Mike! Good post, and something to chew on. “Soft Skills” might be turning into “Risk Skills” pretty quick. What have ye wrought, Dan Geer?!

Finally, if you haven’t seen it already, our friend Chandler posts (Belated) Notes from the Jericho Forum.

Risk and Policy

Today I had the pleasure of speaking with someone who had a very smart idea. I’ll ask you what you think - should risk analysis drive policy? If I do a discreet risk analysis, and find something “bad” - does this mean I should run out and write new policy to mitigate risk and express awareness?

Maybe. This individual has good reason to turn risk expression into policy posthaste. But if there wasn’t that reason, could I advocate such a move?

It seems logical, if risk drives business decisions, and policy is simply an expression of the decision made by the business, only risk should drive policy, no?

However, I can’t wholeheartedly advocate such an approach. Codification of policy essentially creates bureaucracy. Bureaucracy can never be accused of being dynamic and flexible, but the conditions (factors for us FAIR folk) we work in are very dynamic and flexible. So my fear is that expressing a risk state as policy will lead to inefficiencies. Because what you end up with is an expression of state - and likely not a reflection of current state when exception requests inevitably show up.

Let risk analysis govern guidelines and procedures. Let risk influence policies, yes. But consider how dynamic and flexible your policy processes are before writing policy because of risk assessment. Remember that theoretically speaking, policy should be interpretive. It’s procedures and guidelines that need to express current state.

Posted on October 5