By Bryan K. Fite, BT Assure US & C Portfolio Manager
At a security conference in Heidelberg last year, I sat on a panel to debate the merits of Risk Management versus Trust Management. Along with Enno Rey, our host, I squared off against Pete Herzog and a hacker named Bigezy. As a true believer in the value of risk management, I was confident that we would prevail.
Enno and I started off well by describing the language of risk with our proven formulas and quantitative approach. We were very convincing and had the attendees nodding sagely at our obvious expertise in the mature domain of risk management.
Conversely, Pete and Bigezy had a difficult time articulating algorithms or meaningful antidotes to describe the practice of trust management. Pete made an attempt to demonstrate the legitimacy of his approach by suggesting “crossing the street” is an exercise in trust management.
We met this argument head-on and took the position that “crossing the street” was actually an exercise in risk management. “Everyone knows this because we make these types of risk decisions every day” I quipped confidently. With the momentum of the crowd on our side, we felt very confident that we had proven our position.
At this point, Bigez, who had been very quiet, produced a device from his computer bag. To everyone’s shock and horror it was the master module for programming the conference badges (think secret key). Holding it high in the air he declared, “Be careful who you TRUST!!!”
I was speechless. Bigez’s theatrics completely derailed our momentum and the audience’s ability to appreciate the merits of our more eloquent risk management argument. They were giddy with excitement about Trust Management — a pseudo-science at best — all because Bigez violated a position of trust.
I was shaken to my core — someone should have seen this coming and put controls in place. Why had risk management failed us?
This was the same question many asked themselves in 2011 — the “Year of Broken Trust”. I won’t cite the litany of epic failures by organisations that should know better — and more importantly entities that WE TRUST. A light went on in my head, TRUST MATTERS. It matters a lot. It might matter more than anything else — (is that dramatic enough?).
The debate ended in a draw. We declared that risk management is a mature practice that provides business value but is not infallible, while trust management is an emerging but immature practice that is still looking for its voice. It was agreed that both approaches were relevant and should be a part of every security professional’s repertoire’. I took a personal objective to learn more about why we trust, when to trust and who to trust.
Fast forward a year: I just returned from Enno’s annual conference in Heidelberg. I attended trust workshops, tested for Certified Trust Analyst (CTA) accreditation, enjoyed an incredible presentation from Piotr Cofta (a world renowned author and Trust Plumber) and sat on a panel promoting the merits of trust.
During this year’s speakers’ dinner, Enno and Piotr talked about the need to connect the disciplines of trust and risk management. Many libations later, Enno beckoned me to the table. “Bryan,” Enno shouted over the music, “Piotr has come up with the term ‘TERM’ — Trust Enhanced Risk Management.” I liked the way it sounded. It was perfect in its simplicity — clear and descriptive. Yes, I would adopt it. I responded, “OK, we have the name. Now we have to perfect the science.”
If last year’s theme was broken trust, then this year can be described as “learning to love again”. I am confident that the science of trust will advance this year and hope to be a part of bringing the message to the masses.
To read more in the series of “trust” click here.
[...] this is an issue of the trust model surrounding service providers or perhaps it a level of paranoia but either way is caught me [...]