Risk Management: Stop – you’re too controlling!!!
Just as Fox Red Risk needs to keep itself lean and efficient in its ability to support its clients in all things risk management, cyber security, resilience and data protection, the Fox Red of Fox Red Risk also needs lots of exercise to keep him svelt and athletic looking. He had his annual check-up last week which included a weigh-in. Suffice to say as a Labrador he loves his food and the people around him appear to be powerless to resist his deep brown eyes…
As such, I have to find lots of innovative ways of keeping up a good exercise routine and keeping his weight down. I take him for the obligatory walks, we play lots of catch, and I have one of those plastic tennis ball catapults too (although I need to take three balls with me as he can carry two in his mouth and refuses to give them back once he has them – and by the time he has slobbered all over them I really don’t want them back anyway! One of his favourite things to do, however, is to swim. Not just swimming in a lake trying his best to antagonise the ducks and geese at the local park or; bombing into the stinkiest bog in the nearby ancient woods but a proper private swimming lesson here at Essex Canine Hydrotherapy Centre – nothing is too good for this pampered pooch!
Have I lost the risk management plot?
“Only mad dogs and Englishmen…”
As I have a pretty busy workload, and there are a lot of pampered pooches in the Essex area, the chances of me being able to book a swimming lesson for the Fox Red, and being able to know for certain we can both make the appointment (he’s a Therapy dog so has his own work schedule – so philanthropic!) I must ring up on the day and see if there is a spare slot. Luckily on the day in question, there was a free slot and so off we went with a bottle of watermelon and sweetpea dog shampoo for the post-swim blowdry – he is an Essex dog after all! I say luckily – but then I drove straight into the subject of this article. What appears to be a well-intended improvement to reduce risk being completely unused because it was poorly envisaged, poorly implemented, with the original control measure still to be decommissioned and so that control is still being used whilst the new control is to all intents and purposes gathering dust.
“A well-intended improvement in control being completely unused”
Do they not understand I have places to be…?!
So what am I going on about? Well, good question (one I ask myself often!). As I was driving to the swimming pool, leaving in plenty of time (or so I thought) I was met by a line of traffic waiting for a steady stream of small primary school-age children and their parents crossing the road at the zebra crossing. No more than 25metres from the zebra crossing was a footbridge across the same road. The footbridge would easily allow all these tiny pedestrians to cross the road with complete safety whilst allowing the traffic to pass unhindered below their little feet. But the problem…no-one is using the footbridge! So, all the vehicle traffic sits there waiting whilst at the same time the children cross at a place which is inherently more dangerous. Why, because this is what happens when risk management and continuous improvement are poorly implemented. Instead of blowing a gasket with road rage at the time my best boy is losing at the pool, I began formulating an outline as to how this type of situation could be avoided.
To help visualise the problem, above is a map which shows the route (in yellow) children take to get to and from their primary school from the local housing estate across a busy main road. When looking at the problem from a Google Maps satellite image it’s pretty straightforward to see why the footbridge is not being used and it serves as quite a simple example to discuss why improvements in control often end up becoming costly failures.
Common Risk Management Problem Number 1: Understanding the control measure which needs improving
One of the first things one should look at when attempting to improve a control measure is your data. If you’re not collecting data on the effectiveness of your controls then I highly recommend starting as soon as possible. The old adage what isn’t measured, isn’t managed is so very true. Implementing effective metrics which help you understand how your controls are affecting your business and whether they are actually reducing risk is crucial. Don’t fall into the trap of implementing metrics which are always going to show you in a positive light regardless of what you’re doing. Bad metrics will certainly help reduce the questions the Board may ask but ultimately you will be the one who has to answer the inevitable question:
‘If everything has been Green for so long, how did we have this massive security failure?!”
As luck would have it, and people in the UK care quite a lot about road safety, there is pretty good data on road traffic accidents. The Safer Essex Roads Partnership (SERP) has historical collision data going back to at least 2013 (before the footbridge was erected) which is free for the public to access. Not only is it free but they have also implemented a Microsoft Power BI viewer so anyone can slice and dice the data. In your own organisations, there will be similar sources of data such as system logs. Even if you’re not using logs now, I strongly recommend turning logging on and centrally storing those logs – the UK NCSCeven have a great open source project (Logging Made Easy) to help you get started. At least if an incident occurs you then have some data to carry out a forensic investigation.
“Use data to properly understand the problem”
When looking at the data for this particular location, there were no road traffic accidents recorded. There is however increased traffic congestion according to Google maps, coincidentally around the start and finish of the school day. It would, therefore, suggest the reason for the footbridge may have more to do with easing congestion and that improving road safety was a potentially nice side-effect. Had the planners looked more closely at the wider data they may have realised that road safety was pretty good in that area and identified that existing controls currently in place needed consideration before moving the design stage. They may have also then sought to look at why the existing control (i.e. the Zebra crossing) was located at its specific location and how that control was being used.
Common Risk Management Problem Number 2: Poor Control Design
I was once told that if you went to a doctor with a medical issue it would be likely the speciality of the doctor would strongly influence how they treated your ailment (i.e. a surgeon might lean towards surgery whereas a non-surgeon may prescribe physiotherapy or pain relief for the same issue). Whether this is actually true or not, anecdotally, people often try and solve problems with the tools they know. This is why you may see so many people using Excel to support business processes when in many cases it’s wholly inappropriate and slow – not to mention all the additional risks that come along for the ride. When it comes to risk control design its crucial to get a few things nailed. One of the first things is to ensure your control fits properly into the wider business process it is trying to protect. There is no point in designing something that is either not going to be used or fails to adequately provide an improvement in protection.
“You don’t build a seaport in the dessert”
There is also the propensity when a current control has failed to try and ‘double-up’ on the same control. The logic being is if two people do something, or the control is applied twice as often then the control will now reach the desired level of effectiveness. This is a logical fallacy. If the original control is ineffective, doubling up will typically just result in the control now being doubly ineffective – and at the same time wasting twice the resources. A good example of this is when managers implement ‘two-eyes’ checks. The logic being that one person does the work and the second set of eyes checks the work of the first person. At some point, errors creep in until they reach critical mass and then some bright spark suggests that instead of a “two-eyes” check, there should be a “four-eyes” check to reduce errors. It goes on a little while longer and because one set of eyes pays lip service to their check thinking the other has done their check correctly (or will be blamed if an incident manifests) further incidents occur. What happens then…yup…a “six-eyes” check gets implemented, then an “eight-eyes” and then a “ten eyes” (which is the maximum I have seen). All the while failing to understand why the original two-eyes check wasn’t effective.
Instead of doubling (or quadrupling) a poor control, brainstorm why the current control is ineffective. In the two-eyes example a design workshop could have asked some or all of the following questions:
- Could automation remove human error issues altogether?
- Does the person doing the check actually understand what they are checking, have they received adequate training?
- When the checker signs off on their check, do they attest to what they have actually checked?
- Is there accountability incorporated into the control (i.e. the checker is censured for failing to administer the control)?
- Are there metrics supporting the control?
If controls are poorly designed, it is inevitable these controls will also operate poorly or become white elephants. In the case of our example, before anyone can get to the footbridge from the school, they must first cross a road – this clearly does not make sense and should have been identified at the design stage.
Common Risk Management Problem Number 3: Failing to Remove Original Control
Part of control improvement or control change is decommissioning the original control. If the original control remains then people will carry on using it. Those responsible for implementing control changes must understand people typically take the path of least resistance unless they see a tangible benefit to going down a different route.
If we look again at the placement of the footbridge, we can see that to get from the school to the footbridge the school children must first cross a road. At the time of the day where the children would be leaving school also corresponds to the time where traffic around the school is the greatest (obvious when you think about it because that’s when parents will be driving to pick up their kids). It thus could be easily surmised that the risk of injury from crossing a road with no protection at all is the highest at this time. Why on earth would anyone think it’s a good idea to then locate a footbridge in a place where the children would have to take additional risk to get to the safe crossing point? All that appears to have happened here is the same risk has just been moved from one place to another.
“People inevitably take the path of least resistance for as long as possible when given the choice”
Consequently, and sensibly, parents and children have used good risk management and followed the safest path, which is also the path of least resistance. Had those responsible or designing this control placed the footbridge at the same location as the current zebra crossing, and removed the zebra crossing too, it is highly likely most people would use the footbridge. Faced with a situation of both increased danger and inconvenience, it’s not surprising the zebra crossing is still used and the footbridge is not. Additionally, the local council is still investing in a lollypop person at the zebra crossing, instead of using that resource as a change agent to channel traffic over the footbridge.
If you build it they will come…
The key to getting people in your organisation to operate in a controlled manner is to implement controls using data-driven design principles and effective change management. Understand the problem first before trying to find a solution and avoid at all costs being led by vendors telling you that they can fix all your woes with an automated tool! Consider the path of least resistance and ensure your controls are well-integrated into business processes. If someone can do something an easier way which bypasses the control then the control will be bypassed – at least some of the time. Finally, when improving controls, always have a plan to remove the existing controls where they are no longer needed, and when the new control has shown to be effective.
Don’t end up with a costly unused footbridge!
About the Author:
Stephen Massey is the Managing Director of Fox Red Risk, a boutique Cyber Security and Data Protection consultancy. Stephen has worked in the information security risk, business continuity and data protection world for nearly 20 years. Stephen has delivered complex security programmes across defence, real estate and financial services. Stephen has also authored the popular book “The Ultimate GDPR Practitioner Guide” which is available on Amazon in both paperback and Kindle eBook.
About Fox Red Risk:
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
accountability article 25 article 28 article 35 awareness bcms BeCyberSafe breach british airways ciso contracts controller cybersecurity data breach data privacy Data Protection dataprotection data protection officer data protection service DPIA DPO encryption GDPR iag informationsecurity information security leadership management penetration testing Pentest Privacy processor resilience risk risk appetite risk management riskmanagement security security as a service small business strategic transparency vciso virtual ciso vulnerability scanning