United 2013 Security Summit: How to make an insane idea acceptable

Rapid7’s president and chief executive officer discusses the evolution of risk management throughout time and best practices

Risk management should be practiced daily and constantly, according to Corey Thomas, president and chief executive officer of security software supplier Rapid7.

During his "Gods, Gamblers and Bankers" presentation at the United 2013 Security Summit in Boston, Thomas said: “A great example is the recession of 2008, where too much risk was taken. The moment you forget that you live in a risky world is the moment it will enclose on you.”

He compared business to sailing around the world: “You can’t sail around the world without assessing the risks first – the weather, the environment, where you are going, what people are buying. And how you manage it – how much cargo you need to ship, which policies to set, what products are in your environment. Then you need to implement the tools to control the environment, measure it and learn from it.”

Not only are we not learning from the successes of our past, but we are not learning from the mistakes in our past

Corey Thomas, Rapid7

In 2012, there were 621 confirmed breaches and 6,000 confirmed security incidences. Thomas questioned why. 

“Was our fundamental approach to risk management broken? Not only are we not learning from the successes of our past, but we are not learning from the mistakes in our past,” he said.

We used to live in a “mad world of chaos”, Thomas added, but our approach to risk and management has evolved throughout time.

“In the 20th century, the idea of getting on an airplane and hurling yourself across the skies was considered insane, but now it’s something done by millions every day. Are there zero fatalities in the airline industry each year? No. But it is a lot safer to fly nowadays because the risk is managed better nowadays. 

"It’s about how we take one insane and crazy thing in one era and make it perfectly acceptable in the next.”

Thomas said the most important factor when dealing with risk is about how to simplify the environment and close the ecosystem.

“However, our world isn’t actually like that and we can’t control everything we run into," he said, "so in an open environment how do we control and manage risk?

“We have to be careful of the term ‘the black swan’ – for instance, the September 11th attacks where controls and security were tightened around airports, but we were not focused on protecting our embassies, which were a bigger risk,” he warned.

Read more on Privacy and data protection