So as first keynote, we will have a presentation about risk just as the session we had here. But something very special about that presentation is that the presenter will try and sell us the positive aspects of risk. And this is something I'm pretty much looking forward. Please. Welcome Tom Langford. Tom. Thank you. Great to have you here. So you're from sapien. That's correct. That's right. And how large is the company?
It was about 15,000 people just went to an acquisition about two months ago. So now it's
75,075,000 people you've been acquired. Yeah. Okay. So this is a big change, is it? Yeah,
Very much so,
But you've, you've been responsible at least in the past for both for internal as delivery security. Is
That right? Internal. So head of the global security office internally. Okay. And now as the CSO for publicist.
Okay. Okay. So thank you very much. Presentation. The floor is yours.
Thank you for the gentleman at the back. The screens at the front here are not on yet, but we'll kick off anyway. I'd like to talk to you today that about risk not being a dirty word. And I think as we've, we've heard a lot today and certainly in that last session about the benefits that risk can bring to many, many organizations. First of all, my, my standard disclaimer, all of these opinions that are expressed in this presentation are all my own and none of them belong to the, the company I work for. So I know you are all going to really enjoy it far more than you might have otherwise.
So we're gonna be looking at three things. Firstly, you know how we as human beings view risk, how we often get it wrong and also how we can use it better, how we can use it to our advantage. It might sound like quite a negative view that, you know, we all tend to get risk wrong, but it's not our fault. It's actually, you know, this chap's fault here, the chimpanzee, because inside each of us, we have an inner Chimp and this is based on a, on a, a brain model set forward by professor Steve Peters, who was the chief psychologist for the British Olympic cycling team. And in his model, everybody has the perfectly normal human being, but they also have an inner chip I'm I'm massively simplifying this to be honest with you. But the inner Chimp is literally comes back from those days when we were swinging from trees and we were scared at shadows in the dark, et cetera.
And the, it actually means that become a little bit more paranoid about risks. And we actually see risks where there actually aren't any in a modern world. The Chimp is about the fight or flight mechanism. It's not about the nuances of a modern commercial organization and the one of the big reasons why we tend to get risk wrong. And one of the big reasons why we regret sending out those outburst emails that we send to people when we're angry about 20 minutes later is because the Chimp part of your brain actually takes over nearly 80% of the blood supply for between 20 to 30 minutes during that period of fight or flight. So whenever you get your risk registers wrong, you can just blame your inner Chimp to your board. So it's really, isn't your fault. They don't have to fire you, but this is the starting point that we look at that very often we get things wrong.
So firstly, how do we actually view risk in the first place? Well, many of you I'm sure how many people here are project managers. Exactly. So you can relate to this, this lady here, right? Because risks are issues that have not been resolved and therefore we're automatically into a failure state straight away. So one view is a fairly negative one. We have failed to resolve an issue. Therefore we have a risk, therefore something is wrong. Why do we have this risk in the first place? This is not necessarily the, the, you know, the healthiest approach. It is a approach and it may work for some organizations, some very, very risk adverse organizations, but to the previous commentary, you know, zero risk often means zero zero benefit. But this is what I would see as a fairly sort of negative view of risk. We then have a somewhat more neutral view, the box ticking view, which is we have a risk we'll mitigate it, we'll have a risk, we'll mitigate it, you know, or avoid it or transfer it, you know, or, or whatever.
And this, this view is, is fairly neutral. Really. It's, it's effectively just working through a risk register one by one by one, trying to reduce risks because we never truly remove them trying to reduce risks every single time, fairly neutral doesn't really do much for us. And then we have this view of risk, which is actually, if we take the risk, if we're cognizant of the risk and if we embrace it, it could bring us great reward. If we take on more risk, we might actually get paid more money to do something, you know? And I think that the gap between the bowls there really is the risk and the larger bowl obviously is, is the rewards that you might get. Now, this for me is the, the view of risk that I've sort of brought up my sort come about over the last few years for me before it was very much, I came from a, a PMO background and then moved into it.
So I very much, I've moved through this cycle of, of negative, neutral and positive. For me, risks are things that you can actually embrace and do things with and actually do more with. So you have to ask yourselves in this context, within this model, where do you sit are you are either PMO, are you just actually frustrated that there are risks even in the first place? Are you the box ticker or are you, as you can probably tell by the emphasis on the largest circle, more like me, when I say, actually we want to embrace risks now to emphasize something here, that's not to say that any of these is necessarily wrong. It very much depends upon your environment. There may well be environments where it makes sense just to find a risk and remove it, find a risk and remove it. There may well be environments where risks are seen as failures because of the, the sterile kind of environment that you're operating in. I struggle to having sort of grown through these, these three examples into the final example of, of embracing and positive risk. I do struggle to see it, but you know, I do very much hesitate to say that it's wrong, but I would encourage anybody who fits in those first two camps to really look at that third camp and see where you can actually come across to your organization about being positive, about risk and about actually using it to leverage yourself and leverage your, your business's ability to do more business.
So why do we get it wrong? I will give my apologies to anybody who saw my presentation earlier. There's a little elements in here that, that I refer to there, but we get it wrong because of little Beasties like this. And back to our little chimpanzee brain, we know that, you know, we look at this, we know that it's a very, very dangerous animal. Probably not gonna do anything to us right here right now, unless a shark Nado suddenly releases itself into the, into the upper atmosphere. But we have this fixation as a, as a race. We have this, this fixation with, with beasts like this, there was shark mageddon, not so long ago, certainly in the British press anyway, about this massive super shark that was crossing the Atlantic and heading for Britain to do what I'm not entirely sure, but you know, it was in the newspapers for about three or four days as they tracked its progress across the Atlantic.
We have this fascination, this fixation on things that have a never ending supply of teeth and are extremely, extremely dangerous. Again, it's those little monkey. It's that monkey brain in our head telling us I'm seeing something scary I want to run. And yet we all know that sharks do not kill that many people dropping coconuts, kill more people than sharks. Right? We know this, but we are innately built to misunderstand risk in at the very basic level very often. And so we'll often look at risks that aren't really there. We'll often see the shadow in the, in the bushes and think it's an animal when actually it's just a shadow.
But the problem with that approach, therefore, when we bring that into a modern world, is that we end up building risk registers that are extraordinarily detailed and have everything in them. They throw everything in. I've seen risk registers that include in a residential or in a, in a, in, in a large city and a gated environment. That includes attacks by wild dogs. Now, Austin, to me, that may well be a risk, but really what that does is distract you away from the real events, rather than looking at attacks by wild dogs. How about looking at attacks by violence, things coming into your compound. One, look at it a little bit more generally, isn't that overly specific. Would you respond to a wild dog differently to a wild horse? I'm not entirely sure. Probably not. Maybe I, maybe you bring more sugar, lumps and carrots for the horse. I don't know. But, but you look at this and you become so focused that your risk register ends up being thousands and thousands of records long, which makes it increasingly difficult to actually do anything with it. It makes it seem like a spreadsheet that's never gonna be looked at by anybody. It makes it harder to filter the real stuff from the bad stuff. And as a result, we actually start reporting on all the wrong things. It gets a big confusing mess.
And then when we do report on them, we often report to them in a completely contextualized way, in a way that has no understanding. On the other side of the board, we look at traffic lights, for instance, they're great. You know, the rag status, red Amber Green status. They're great. They're very, very useful. There's no doubt about that. But how many people truly report red statuses all the time? Because if you're gonna report a red status all the time, you're probably gonna get fired. Yeah, you you're incompetent. If you're gonna report a green status all the time, one or two things is gonna happen. You're either gonna have your budget taken away or when something does go wrong, you're gonna get fired because you've told everybody that you're all right. And so therefore you end up with this Amber sequence of just everything being Amber, just in case.
Now you can still use the red Amber Green perspective because as long as you contextualize it with whomever is reading it, that's the most important thing. So you could say green is beyond the standard that we have set for ourselves. Red is below the standard that we've set for ourselves. And Amber is actually where we should be. Because if we move into the green, it's becoming too expensive for us. We're spending more money than it's actually worth, but you don't have to use that. You could, could use a percentage with 70% secure, you know, or we're at DEFCON four out of seven. I don't know. We score a 5, 3, 5 on our risk matrix, whatever it is, it doesn't matter what integer you use, what ordinary you use, what matters is the universe in which it operates. We don't want to be second guessing our board and what they think about things when they actually are not looking at the measures and the reporting that we put to them in the same way that we are looking at them. We shouldn't see red as always a failure state. We shouldn't see green as always a success state for instance.
So how can we actually use risk in a, to our advantage? How do we use it better? So
For me, there are two questions for me in my environment. There are two questions. You may have two different questions. You may have one question. You may have five that the board is, and your leadership are going to ask you time over time. And what you have to do is to, from your risk analysis and turn in all of your red lights or green lights or AMBA lights, or your numbers, or your eights and nines and your sevens and zeros, whatever you have to turn that into a cogent answer to these questions. Now, my questions are, how secure are we quite a difficult one, five? And the second question is whilst waving a newspaper at my face, is this gonna happen to us? It's normally about Sony. Is this going to happen to us possibly it's. But if you can translate what you are putting across in your big risk matrices and bubbling things up, if you can actually turn answers around to those questions or questions like those, you are going to have a far better impact to the business than just simply reporting the fact that you have 800 risks that are at seven or above or even five risks.
There are eight or above. Now a trick that I use is the Twitter trick. If you can put your answer across in 140 characters, then you've probably nailed it. So try doing something like that, a single sentence, answer to a single sentence question. The more you elaborate, the more you probably haven't understood what either the question is or what the data and the information that you're reading is
Secondly, we should not be this guy. We need to be making fewer decisions for our companies. And by that, I mean, and from a traditional security perspective, we need to be saying no, a whole lot less, no is a decision. We should also be saying yes, a whole lot less, because that is also a decision. We just make less decisions. We should be advising on the risk of the activities that are being proposed by the business. We should not be the moral conscience of our business. It is not for us to say that pushing into a new market is the wrong thing to do. It is for us to say, these are the security risks that come of us moving into a new market. It is not for us to say that this product or that product is better or worse than the other one. We should be saying that this one carries more risk in the framework that we used versus this one. That doesn't mean that the business isn't still not going to choose that one. And then your job is to make it as secure as possible. What it is is you are giving the business, the Cnce to make the right decisions.
And the final thing we can do better. And I really like, I'm really pleased. I can do this one here, but because given it's Munich, the final approach I always say is all about beer. And that's our favorite topic here in Munich. So tonight as you pour yourself a beer, just think of this, this phrase I'm about to use. Now there's a chap called Steve Mora. He's the head of digital marketing for Miller cause. And he has a phrase. This is what I want digital to do. To help me sell more beer. Let's remove digital and put risk in there. This is what I want risk to do to help me sell more beer. If you cannot establish what it is that you do with risk, that helps your business sell more beer. You are probably not doing it right. You should be understanding what your business does and how your business does it. If you haven't read your company report, you are not going to be able to answer this question properly. You're not gonna be able to fulfill this statement, understand what it is that your business does. So how can we actually put this together? Let's let's have three takeaways. They always say that a good presentation has three things you can take away. If you can remember one of them, I'm gonna be very, very happy. So first off,
Align your risk attitude to your business. Make sure that your risk appetite that you are working to is the same as the risk appetite of the business you work for. That actually means getting out from, out from your department and going out to the shop floor, talking to the people on the shop floor, talking to the stewards, talking to the bosses and actually finding out what they think about the business and how they feel it should be treated. Secondly, now you understand the business. You can report the risks that affect that business far more clearly use the red Amber Green or whatever makes sense for you, but just make sure that your conversation is happening within the same universe as each other. If they're operating in a different universe of risk compared to you, or a different understanding of what a red red Amber Green means, then you, you are going to miss the point there and finally help your business sell more beer. If you are doing security for security's sake, you are not going to help your business sell more beer. You're going to stop them from selling more beer. Thank you very much. If anybody like to continue the conversation afterwards or offline, these are my contact details.
Thank you very much, Tom. One short question, who is the risk owner?
Whoever
I say it is
No is not you. I mean,
Where is it? I think it depends. It's it's very much down to, is it a, is it a piece of kit? Is it a piece of, is it data? It's the, you know, we say the data owner owns the, the classification of data, et cetera. I think you do need to ensure that items like that are clearly stated upfront. And when you are carrying out a risk assessment, you're making ownership very clear. I don't think that there is a, a standard Imperial measurement that you can just place over everything and say, that belongs to that. I think it's very much dependent upon the business,
But it's the business. Yeah, it's the business. Thank you very much. Thank
You.
