risk and fear of the black swan

Fear of the Black Swan and Risk Assessment

William Abrams IT Consulting, Security 0 Comments

If you are at the C-level in a business, you probably worry about the Black Swan event: an unforeseen catastrophe that changes everything. This is a risk that everyone is vulnerable to and very few have control over.

I have seen this over the last few decades when working on business continuity plans (BCP) and disaster recovery plans (DRP) for hospitals and banks. Business after business would brood on specific Black Swan events that we would be required to address before any real work could get done: terrorist attacks, derailed trains, avian flu, you name it. It was like a long, drawn out flashback to Y2K.

So why do we seemingly worry about extraterrestrials or the zombie apocalypse instead of less glamorous things like data breaches or disgruntled employees? Especially at the C-level? My undergraduate statistics instructor, Professor Glover, framed this in terms of quantitative analyses: irrational fears often take precedence over statistically more likely problematic events, because high cost trumps low probability in most of our minds.

My solution in these situations involves creating a shift in thought designed to move a company toward reduced downtime and improved corporate workflow resiliency. I feel that C-levels SHOULD be concerned about Black Swan events – but from a DRP and BCP perspective, they should be more concerned about a lack of resiliency in the main data center, and reputation management due to a data breach.

People have real and understandable concerns that their operating site might become unavailable due to a natural catastrophe. But when I would ask when their last disaster was, I’d get a vague response like the ice storm of ’96 and how they were trapped in their driveway eating Pop Tarts and Wing Dings for a week. Then after casually mentioning the (very low) FEMA natural disaster statistics for the region, I would try to get them to tell me about the last failure at the main data center – and usually get vague answers couched in hyphenated IT-speak.

Two famous quotes sum up my philosophy about how to really address risk and data security.

The first is when Vince Lombardi held up a football in the locker room, with his team behind at half time, and said, “This is a football.” C-levels need to get back to basics. Many decisions that are not analyzed by both IT departments and C-levels need to be elevated to the executive level (and sometimes to the board level) to truly access the risk and appropriately approve the resources necessary to address it.

The second quote is from Ronald Reagan: Trust but verify. C-levels need to obtain independent verification about the level of risk their organization is taking. I am often asked how to accomplish these goals without increasing the temporary risks encountered with an audit, or embarrassment that can go along with this type of hernia exam. My response is to focus on the consequences of not doing these steps.

My ultimate goal is a strategic process that engages all levels in the risk analysis and creates a shared visions to reduce risk and fuel corporate growth – one that encompasses everything from IT infrastructure to social media response. This is ultimately how we exorcise the IT demons that seemed to preoccupy most people’s corporate hive mind and successfully think past the Black Swan.

Leave a Reply

Your email address will not be published. Required fields are marked *