I recently attended a pair of conferences in Las Vegas (yes, lovely Las Vegas). Not only was it hot, but because I was staying in one hotel and the conferences were in two other hotels, I had a long hike between where I was sleeping and where I was attending. Needless to say, walking through the desert heat I had lots of time to think about why I was dumb enough not to bring water with me, think about where the nearest air conditioning was, and also to think about things that I’ve said in front of crowds or things I’ve heard other people say. One of the most common phrases I heard at the conferences was “risk mitigation.” Well really, what does that mean?
I hear a lot of vendors talk about how they help clients mitigate their risks and how they use technical infrastructure to do so. But, should we mitigate risks? Well, let’s start with reminding ourselves what “mitigate” means. Dictionary.com defines “mitigate” as: to lessen in force or intensity, as wrath, grief, harshness, or pain; moderate. So, that’s talking about how to moderate your risk.
That approach is quite different from what I (and many of my colleagues) think about risk. You don’t merely want to moderate it or lessen its force. With risk you can really only do a few things. Transferring risk is like the classic insurance model: you pay someone else to take on your risks for you, they accept your risk, and from an IT perspective that could mean paying for IT loss insurance or perhaps moving parts of your risky infrastructure on to them. You can reduce your risk by taking actions that minimize the risk and you can do this by doing things like adding layers of security to your infrastructure. You can accept the risk and literally look it right in the eye (kind of like what I was doing to the street vendors trying to pass me leaflets as I walked between conference centers and my hotel). Or you could ignore the risk entirely, pretend like it is isn’t there—you’d be surprised by how many people I have met in the IT industry that take this approach. Pretending there was no risk made me laugh in my heat-addled state because the nature of the conferences I was attending were, ummm, let’s just say a very, very, very deep dive into security risks, vulnerabilities, and the people who love them.
So, what I’m really getting at is, “risk mitigation” is an outdated phrase and risk management is really what we need to focus on as IT risk specialists. We need to help our companies define what risks we want to reduce, which ones we want to transfer, how we plan to live with certain risks, and make certain we do not let our executives nor do we let ourselves stick our heads in the sand.