“One has to abandon altogether the search for security, and reach out to the risk of living with both arms. One has to embrace the world like a lover. One has to accept pain as a condition of existence. One has to court doubt and darkness as the cost of knowing. One needs a will stubborn in conflict, but apt always to total acceptance of every consequence of living and dying.” ~Morris L. West
Great quote, Mr. West, but, as it presupposes that humanity should have little regard for danger, it is also quite prophetic with respect to how danger, or the risk involved, is regarded today.
Many of the things we used to value, like say, privacy, have no value any more, so there is no risk losing it – or, rather, no danger from losing it. And, the “No Fear” generation showed us just how little regard there was for their own lives. Even many companies (small and large) today have a very elementary concept of what risk is, and they’ll have risk assessments done without even considering “value” in the equation.
“Risk taken” is directly proportional to the value placed on whatever it is we have to lose.
In nature, the equation is quite simple. Animals know what the value of the basics are – their lives, food sources, water sources, their offspring – all of these things are the requisites of survival.
Some of these essentials are more important than others for survival, hence an animal will “classify” them accordingly. Here’s how classification in Nature works:
Animal: “There’s that thing with the brown shaggy coat what ate my brother….I need to be careful.”
Even simpler: “It’s bigger than me….RUN!”
Or – “I know this creature wants to share my watering hole, and instead of running, I’ll fight him off.”
This simple hierarchical classification dominates nature. The “risk assessment” the animal is doing comes “after” they have already classified the value of potential loss (aside from using their intuition in encountering an unknown threat – and even then they have already classified a proper response).
While the “cost of knowing” may be obtained by “courting doubt and darkness”, it is still something that has to be classified for the next encounter.
Unfortunately, much of the business world seems to have lost sight of this basic but essential atavism. The so-called “Security Risk Assessment” is an anachronistic exercise replete with pompous or pretentious theatre. Usually, the first thing a security consultant will offer forth to evaluate your security is penetration testing of your enterprise environment.
“If we can break on through to the other side, you’re vulnerable to data loss.”
But what if your data is secure from the inside – so even if the intruders bypass the first layer of defense, they can’t access the data they’re after?
The first thing in any risk assessment is to understand the value of that which is sought after, and to classify that valuable commodity so you can further decide how it should be secured. You must classify your data based on the value of that data, before anything else you do.
Companies today have a lesser regard for all those tasks that seem to present little ROI — it doesn’t sound rewarding to the board, and has less impact on the shareholders. They underestimate the value of their own data thinking, “No one really wants this data anyway, even if they could get at it.” This order of thinking is especially prevalent in companies who are manufacturing for DoD contractors, and is precisely why Shady Rat-type exploits are so effective.
Classify (value) your data (assets), lock them down from the inside out, then do a risk evaluation.
It’s that damn simple.