Everybody has at least one. It’s usually orangey red, long in the tooth, semi-regularly reported, infrequently updated and fought about annually. Like Schrödinger’s pussy cat, it’s usually in a box (4 x 4 or 5 x 5) and has known triggers that would, if activated, result in a CATastrophic outcome (see what I did there 😉 ).
For those unfamiliar with the quantum theory, here’s my version of the physics:
Schrödinger’s Feline
A cat goes into a sealed box with a vial of hydrocyanic acid, a tiny bit of fast decaying radioactive material, a geiger counter linked to a trigger and a hammer. The trigger makes the hammer smash the vial when a radioactive atom is released by the decaying isotope and detected by the geiger counter. Smashed vial = gassed cat.
Outside the box folk have no idea if they have an ex-cat on their hands. Ergo, in that version of reality, the moggy exists in 2 potential states: Fighting fit and Dodoed.
Or (if you enjoy the wonderful perspectives of Sir Terry Pratchett*), 3 states: Alive, Dead and Bloody Furious.
That set of possibilities only changes when you open the box.
Most folk, with even a passing interest in STEM, will be familiar with that and folk fiddling with quantum computing will be intimately acquainted with the implications. What blows my mind (from that computing perspective) is the fact that multiple concurrent potential results are actually observable at a subatomic level and seen to change when problems are definitively solved with available data. Consider the possibilities presented by dealing with all feasible outcomes at the same time, instead of one after another (what all traditional computers, even the cutting edge ones do now)….WOW.
There are also big and very real risks linked directly to going quantum, as Vivek Wadhwa explains here:
Quantum computing is about to make big trouble for cybersecurity
That’s as far as I go with this before my brain melts (even the man himself reportedly said he wished he’d never thought of the cat), so back to those risks.
Quantumly Entangled Risks
As I said above, you probably have at least one floating around in a box somewhere. Here’s an example (the matrix is from Peter Prevos’s excellent 2011 article ‘The Risk of Risk Management’):
Just like the eponymous feline, the state of that persistent risk is a mystery due to a few basic and very common facts:
- It’s there because of an incident, an audit point, a compliance failing, a vendor FUD campaign or a news story that was big enough to really bother the board.
- The quality of original assessment lies somewhere on this continuum:
- The board, audit and your regulators demand that risks are moved from top right-ish towards bottom left-ish of the risk matrix.
- Periodically risks get more orangey (or even orange with a hint of green!), based on some security work having been done.
- At least once in the risk’s lifetime, a new assessment method will have been tried by you or consultants. It will have either escalated or downgraded the risk. The board will have asked why the risk changed. You won’t have been able to answer.
- Since logging it you haven’t found any scientific way to measure and demonstrate improvement. Or in other words:
If point A is a guesstimate and no meaninful way to measure the risk has been plugged in since, the movement towards your target position (let’s call it guesstimate B), will be in increments of “that’s enough to keep them happy, but not so much they’ll doubt it”.
That (if you are honest) is the status quo. Risks in a box that could go critical at any time, but as outside observers, with no useful means to measure their status, they exist in the corporate mind in multiple states:
- Denial – It’s not worth worrying about, after all it’s been there for years and nothing’s gone wrong.
- Paralysing Fear – It ‘feels’ like horrendous pain is imminent (based on what you do know about current vulnerabilities and threats), but you can’t communicate that in persuasive enough risk terms to secure funding to do something about it.
- Fragile Confidence – Perception that the risk of harm is being ‘managed’ satisfactorily, but risk treatments and status updates can’t be demonstrated as making a difference. A state frequently destroyed by incidents, audit points and budget cuts.
Far From Blissful Ignorance
No matter which ‘state’ gets most political weight thrown behind it, no-one really knows and it’s the not knowing that’s the real killer. In a company with a broken culture there will be many competing reasons not to break open that risk box, but you have to. Problems cannot be dealt with until they are understood.
Robust risk assessment is still an enormous challenge (as I call out in detail here), but things are improving. Threat intelligence is getting more emphasis on the ‘intelligence’, vulnerability assessment is slowly evolving to show you business risk relevant impact and likelihood, non-technical (usually people related) threats are being given more appropriate attention, a greater quantity of better quality industry incident data is becoming available (albeit, if firms don’t pull their fingers out, just to insurers who may not be great at sharing it) and the high ‘cyber’ profile of security is bringing more money into security functions.
BUT, none of that will help if CXO level consumers of risk data ignore the Schrödinger-esque trap they are in and keep shooting messengers who give them a potentially upsetting, but utterly necessary, peek inside the box.
If you don’t take this plunge soon, someone will take it for you. Perhaps cyber insurers assessing you to estimate premiums, or regulators landing on you like a tonne of bricks, when one of those mystery boxes goes bang. In fact those aren’t your worst nightmare scenarios…trial by media, as JP Morgan, Sony, Target, Anthem, Hilary Clinton and now Starbucks know, is a whole other level of pain.
*From Discworld book 14: Lords and Ladies