Here we go again.  In the latest round of annual security surveys we now have the “2008 Security Survey” from InformationWeek.  As presented by its authors, the main message of this survey is that “risk management” is the answer to the woes of continued investments in security that has seemingly no real improvement.  The survey is thorough in its analysis of the data collected, and even goes on to point to applications of “risk management” by industries like insurance as models of a proactive strategy that should be emulated by information security managers as well.

The survey once again confirms earlier conclusions and collections of anecdotal evidence that emerge year after year in surveys taken and published not only by InformationWeek but others (e.g., “Global Security Survey” from CIO, “State of Information Security” from CSO, the industry-specific Global Security Surveys from Deloitte, and the “Global State of Information Security” done annually by PriceWaterhouseCoopers, CIO and CSO).

While every one of these surveys delivers powerful reminders of “where we are” with regard to our current information security practices and status, there seems to be a consistent thread of “why are we stuck?” along with exhortations to be more diligent (like the insurance industry) in performing “risk management” to help determine investment and response priorities.  Apparently, no matter how well we do, it’s just not good enough.

What If We Could Perform Information Risk Management “Perfectly”?
No matter where or how it is applied, risk management, including information risk management, is a purely defensive strategy that works in two ways:

1. Protect what value already exists even if some “bad stuff” happens.
2. Reduce the chances of “bad stuff” happening.

While you can see these two objectives expressed in various equations or toolsets or hundreds of different metrics, all of the expressions represent the same two foundation objectives.  Some industries (e.g., gambling, insurance and investment) have evolved more mature tools and techniques to apply the foundations of risk management to their specific industries.  Information risk management has not evolved nearly as well.

What if, despite our acknowledged shortcomings, we could apply information risk management “perfectly” to our enterprise?  What would happen to the existing enterprise information value at risk?  According to the foundation equations of information risk exposure, our information risk would become zero!  And, according to all of the most public of surveys, this is exactly the state we desire.

But, wait!  If we could do information risk management perfectly, what would happen to the total value of the enterprise?  The answer is equally clear: we would not add a single nickel of value to the enterprise!

Somehow, that takes the luster off of the so-called desirable state.  Somehow, pure traditional information risk management doesn’t seem like enough.  Seen through the eyes of senior leaders of business and government enterprises, this outcome falls short of where we need to go today.

Spending “the Other Side of the Coin”
According to the Digital Trust report series there’s another (longstanding) side to this coin of information risk management.  Rather than focus on defense and the preservation of as much existing enterprise value as seems “reasonable,” digital trust applies security technology and services to:

1. Create new value.
2. Increase the chances of “good stuff” happening.

This is referred to in digital trust as “the other side of the coin” for security services and technologies, and points to a whole new strategy for making decisions about security investments.  Furthermore, the digital trust research results show that “you can’t spend just one side of the coin.” That is, by using a digital trust strategy, the information risk exposure reduction is achieved as a beneficial side effect.  Check out all the volumes of the Digital Trust series to see how this strategy works and how others are capturing payoffs.  In particular, scan volumes 1 and 8 (Volume 8 coming soon) for the “quick study” tour.

Digital trust calls on the enterprise to “aim higher” for value creation with security services and technologies, knowing that risk exposure will be reduced as well.  It also calls for a change in the security governance approaches used by the enterprise, especially a change in the assignments and responsibilities assigned to information security leaders.  Digital trust is a learned behavior.

What About Next Year’s “State of Information Security” Report?
As long as we continue to focus on the defense of traditional information risk management, we can expect the next reports on “the state of information security” to show marginal shifts in performance (one way or the other) and to encourage the deployment of different kinds of technologies and practices to deliver marginal improvements in the protection of enterprise value that already exists.  And, since nearly all of our theoretical foundations for risk management (including as applied to information and information services) were discovered and proven during the Renaissance, we have 250 years of evolved behavior and practice to overcome.  (See Peter L. Bernstein’s book, Against the Gods: The Remarkable Story of Risk.)

The annual surveys often note that we measure IT risk management budgets as a percentage of the overall IT budget.  Yet, we find no dependable (and positive) correlation between the percentage assigned and the results achieved.  In fact, in many places we often see attempts to determine just how small that percentage can be before results appear to become measurably worse.

If we want the reports to change, and we want security services and technologies to provide real payoffs to the enterprise, then a digital trust strategy provides a way to go.  Some enterprises are already showing signs of digital trust, and those might be better examples for us to follow than even the most sophisticated applications of traditional risk management.

Aim higher.