IBM’s latest press release caught my eye. It sounds great, announcing a major investment in new security services, products and research breakthroughs to help business effectively manage operational and IT risk. I was particularly interested in the announcement about a collaborative research initiative with academia, called Security Risk Management (SRM), to align security controls with critical business processes and their risk management objectives. In particular, it aims to enable assessments of Business Value at Risk, a useful metric to present to business managers and Boards. It sounds like a great ambition.
The bit that worries me is the concept of a product that sets out to perform critical assessments across the enterprise, in a “more precise, automated and objective manner”. Nice in theory. But will it work in practice? Highly unlikely, in my experience. Even if we actually had sufficient base data to underpin such calculations, there would be too many contextual dimensions that are simply not measurable. Also, the value of information and the levels of risk change constantly, generally without warning or announcement. The model would always be out-of-date. Further, automated calculations have an unfortunate tendency to spill out bizarre results, requiring significant manual adjustments. And, most importantly, people are responsible for processes and assets – you can’t cut them out of the loop. It’s their call, not the computer’s, to assess the risks to their operations.