Amar Singh - It Takes a Community to Reduce Risk

The afternoon sessions are the best because everyone is full. So they're probably asleep. So I can say, and get away with almost anything. The two teams here, one of them, the title is I shorten the title a little, but the, the two teams to the title one is digital risk, which is why we have one of our friends here holding an analog camera. Right? And the other topic is community engagement to reduce risk. But I, I chose this topic. I'll talk a bit about digital risk and I'll throw it out to the audience and the panel members. So that's me. It's very easy to recognize me with a very shiny blue turbine. And that's what K KuppingerCole does. Everyone knows that if you're not a customer, you really need to be only because we produce pretty good stuff. So the sun has been trying to boil the ocean.
And while it does that, let's try to do a bit of risk management. Now, I often take this tire with me. It's not easy to carry, so I carry a picture of it, but I, I do a lot of training on risk management also. But in this context, I'm going to propose that this tire is information risk. Remember the digital risk thing we mentioned. So I'm gonna throw it to the audience and say, if this is information risk, that should have been an Audi, but it's a POJO. I love my Audis. I couldn't find a good Audi photo, right? But if that is, if the tire was information risk, I suggest that digital risk is the much larger combination of information and other risks that come, come together. Now I know it's, this is a suggestion. I'm not actually saying, this is what I think it is. This is part of what I think it is. And I'll invite the panel obviously later to hopefully disagree with me and put forward their own suggestions.
Is everyone here happy with this? Do you agree? Do you disagree? No semantics, semantics, but it's entrusting the reason you, it's interesting. You say that because the us and the UK are starting to see. I think you also, Thomas would, would see that a lot of titles are starting to become chief digital officer, right? People are starting to get the title of chief. I've seen one or two titles in the UK, apparently in one of our earlier sessions, some in the us, it is becoming more and more common, so it could be semantics, but then I guess semantics always their reasons behind semantics. Right? So, so just to kind of reiterate, that's what the wonderful tie I carry along. And then this is part of the, the information without context is pointless. So this gives a bit of context to that information risk. So this is my take on information and digital risk and on the community angle, I'm gonna propose when I see clients that's Chinese or Japanese.
I really don't know because I don't speak, I don't write Chinese or Japanese, but basically the message is that there is a significant amount of disconnect in the language of risk, right? Within many organizations. And what I see often is someone is gonna always having a, an angle of it is the worst case scenario, and we need a lot of money, right? And then you have the everyone know what PT is advanced persistent threat. Someone is always raising days, an a P T risk. And again, this is vernacular, but it gets really irritating, right? And then that's a wonderful argument. There's huge, massive confusion. In my opinion, between what is a threat and what is a risk and many, many respected publications. Also get this wrong. In my opinion, they keep confusing threat and risk, right? And it doesn't really help the overall picture. So moving on quickly, there's a risk of unpatched software.
So this is again, something I see very often risk statements are not clearly defined, no one, really many, many organizations don't define their risk statement in any clear sense at all. And then finally, we have the big boss who comes in as you can see in most of my big bosses are all related to women and they come in and they say very big things. And then they go back to their head office and, and they keep telling you, you need to do risk management and they keep telling you to use spreadsheets. In a nutshell, I don't think we are in terms of risk. Most organizations are not on the same page. I think if we did a poll of everyone here, we ourselves would not be on the same page. I don't think we all speak the same language of risk. Each of us have different understanding of risk. A lot of the time it is project risk that we think about. We don't really think about strategic risk. That's my opinion. You may disagree. But that is what I see when I deal with many clients. Right. So what happened? And I'm just reiterating the title a little. I sat down with a CIO last year and I remember this very clearly. And I said, do you do risk management, digital risk management? That is the word I used. And he looked at me with a blank face. Right. Okay. I said, fine. Do you do it risk management? He said, no. I said, do you have a risk register? Right. And that's when he said yes. Okay. Who uses spreadsheets to manage risk spreadsheets, to manage risk?
Let's see all those hands spreadsheets to manage risk. Right. And they get really big. They get really complicated depending on how you manage them. Right. And I've seen this kind of spreadsheets on risk management every time. And if an organization is very large, a it is in, in the it department, it is normally one individual right. Looking and trying to collect all the risk statements. So let's just quickly examine one, right? What's a risk log roughly. Right. I'm very worried about lack of effective and there's a lot of risk. Okay. And then there's a lot of extra stuff that people have to write. They don't really pay a lot of attention to it. And then can everyone see this clearly? Is there something wrong with that arrow? I'm just checking every everyone's awake, right? It should be on the other side a little cuz those are the controls. Okay. Every risk register has controls or every, at least every good risk register should have some controls. Okay. And then the CIO is normally under the impression that those controls are being managed pretty well.
And then this always happens right after everything. And you buy me an expensive firewall. There will still be some risk. If you buy me an expensive logging solution, there will still be a lot of risk. And then every spreadsheet must have colors and numbers. Right? So I guess what I'm trying to say a lot of the time, if at all, there's only one in very large organizations that I see. There's only one risk manager. If there isn't a risk manager, there's only one individual managing the risk and its management is wrong. He, he or she is collecting the risk. Right. And the question is why community? And that's the question you should be asking. That's the question I ask my customers when I see them, why are you not using a better approach to risk management? Right. And the reason why I think a community is much more a community based approach.
If you remember the title was it takes a community because if you, within your organization, if you normalize the vocabulary, right, if you do, if you have a common taxonomy approach to risk, to the language of risk that can significantly help the, the bottom line risk management approach, it's a very short presentation I could go on and on. And I think my friend here, Mr. Langford has given a very good presentation in the morning if y'all were there. So taxonomy normalization, who here has gone for a risk management training course, anyone risk management. So what I've done when I do a lot of interim roles for CISOs, I encourage all the executives, all the it people on a half a day, risk management course, only half a day. It's not boring. It's only half a day to give everyone a basic understanding of risk because I think it is the biggest culprit. They don't understand risk. And they constantly ask for money without understanding why they're asking the money, anything wrong with this.
I made a deliberate mistake, please. Someone help me out now, collaboration. Right? I spelled it wrong. And then I was too lazy to change it. The community approach. And you know, Scott and I were discussing this earlier. It's a people issue, risk management. There are a lot of tools out there. Spreadsheets can do it really well. But if you take a people issue, if you take a people based approach, which means your vendors, your customers, in my opinion, they're all part of the risk management community based approach. It's a very, very big thing to say, but they all need to take part. They need to collaborate on risk because I think a, everyone knows the target target attack, right? And, and many other attacks have been involved with third party, cyber attacks, third party, lack of risk management. So I think a community based approach is definitely worth trying. Community based approach helps you keep track of incidents in my opinion. And I've seen this happen also very importantly, I think a proper risk management approach, but with the help of a larger community, not just one simple spreadsheet, but the ability that using the tools to allow multiple vendors, multiple employees to contribute risk to the bottom line actually helps drive better decisions right. In the end, the point of which is you can all sleep easily. That's what I like to do. Thank you. Any questions?
I'll keep it short. Yes. That's
Great. So Amara, I wanted wondered if you just elaborate a little bit on the, when you talk about project risk and its relationship kind of strategic risk, what are some of the ways in which those can be more integrated? You know, sometimes in a large organization, you have people working on a number of different projects and the risk exposure. Isn't, there's not awareness throughout the organization. Yeah. What are some of the ways in which I can be better integrated organizationally?
A lot of the time when I've seen it succeed is when senior management, including CEO says we have a strategic approach to risk because project risk is fairly well understood. Actually project managers do do a relatively good job of risk management, but it's always in the context of the project. And once the project gets delivered, the risk register is shut. You know, so a strategic approach, which looks at the whole business rather than just the project
And that one of the themes that we've talked about and we'll talk about in some of the other sessions is the notion of narrative. You know, when you have distributed networks, you have all the different nodes in the network and you need to deploy the policy essentially. And when you have a statute or a company policy, then there's a uniform duty across all those nodes, essentially your employees or your customers, et cetera, depending on the context and that CEO, utterance is part of that narrative. It sounds like, you know, for deployment
And that important word here is context. Because if there's no context, the only context that often that often prevails as the project context, not the strategic context, not the operational context. Yep.
One
Is. So the context approach is really critical. Otherwise it's always the project context that wins the day and then, and actually draws a lot of the funding.
And one of the reasons to raise that question here is later on, we're gonna have a session on scale and the issues of scale. It's a, this is a microcosm of that scale issue internationally between companies in a sector. Yep. What are the, you know, are, are the same deployments are the same narratives, the same policies effective at all different scales. And that's an instance of that idea of those scaling differences.