Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

August 2009

Prev Month( 7th ) Next Month( 9th )

Crime & Punishment – Blame & Accountability

Posted on August 31, 2009 10:01 pm by Caroline Ramsey-Hamilton Comment

BLAME & ACCOUNTABILITY

Gee – they go together like a horse and carriage. The CIA Interrogation controversy has been front and center this past week and what stands out, no matter what side you take, is the blame game. Blame the old White House for overstepping authority; blame the new White House for waking up the sleeping dogs. Blame the lawyers. Blame the interrogators. Blame the detainees for being such intrinsically bad people.

A process tinged with so much blame highlights that there is another principle at work here – you could call it Greed (a la Gordon Gecko) and that is the phenomena of skating right to the edge of an ethical question, or ‘getting away with as much as you can’.

The Getting Away With (GAW) principle is the polar opposite of Accountability. In the GAW, the question is never asked about whether something is legal, or moral, or right. Instead the question becomes one of degree and how far you can go without brushing up against laws, moral outrage, the notice of Congress or whatever.

If Accountability means taking responsibility for one’s actions, then GAW means not taking responsibility, not even admitting what is obviously happening, but instead pushing the responsibility onto to someone else, i.e. the lawyers, the White House Counsel, the Justice Dept., the CIA, the individual interrogators. Sort of like a musical chairs game where you go as far as you can, do whatever you want, and hope by the time the game is over, someone else is left holding the bag.

If you are wondering what this has to do with RISK – it’s the pushing around of the accountability – responsibility. If risk is going to be addressed in an analytical manner, then you have to examine, and insisit on, accountability.

So in a corporate setting, say the ENRON debacle – the justice system addresses who was accountable. Who knew what? Who signed the memos? Who shredded? Who decided?

In government decisions, there is almost a preference for non-accountability. Even though, as an organization with a budget, it should be judged just like a corporation, an association or anything else – there is a tendency for government to say “it’s the system”, as if decisions were made by the eight ball instead of an actual person. If you contribute each government decision made to an actual person, then you have accountability.
Probably why there are so many committees!

Accountability is always the Number One Control!


  • Categories:

How to get Management On Board with Security Enhancements — or how to avoid cocktail party security decisions.

Posted on August 19, 2009 2:05 pm by Caroline Ramsey-Hamilton Comment

One of the most aggrevating issues that security people have to deal with is someone who has no security background and knows little about the current technology, who decides what should be funded based on:

1. My wife thinks cameras are an invasion of privacy.
2. My secretary like X instead of Y
3. My friend, Sam, said his company was adding
some new widget.

This applies whether you are doing corporate security or information security and it is basically having your management make an emotional decision, or what I call a “cocktail party decision” about where the security budget should be spent.

Don’t confuse them with the facts. In fact, most of this is from people who do not understand the complexities of security or the interactions of various security solutions with each other.

Last evening, I spent quite a bit of time with a client from Asia, who had a big client who couldn’t decide which solutions they wanted to implement. Should it be A or B; and how to set it up? Regionally? by Business Unit? By Subsidiary? By Sub-subsidiary?

As we discussed it, I realized that the Director in question was really avoiding having to spend any money! It wasn’t about the decision – it was sort of smoke and mirrors to avoid having to admit a lack of funding for security.

In these cases, when your organization may have had the budget trimmed, cut or slashed — it is imperative to be able to use some quantative measurement of the risk to justify the cost of the controls. Whether you have enough budget for one control, or for everything, it must always be prioritized by NEED and by RISK. By Return On Investment. What losses can we prevent or avoid if we add this specific control? How much loss are we preventing? What is our potential exposure if we do nothing?

These are the elements that need to be understood by management in order to get the right controls in place, in the right amounts, at the right time.




top

Prev Month( 7th ) Next Month( 9th )