By: Marty Miracle
More often than it should, the justification well-meaning security and risk folks give me for the inconsistent and logically unsound mathematical expressions of risk (think misapplication of ordinal scale math and mangled expressions of annualized risk) they develop goes something like this:
"It is what senior leaders want and understand"
In my mind this is akin to saying, "the customer is always right". The way I see it the customer isn't always right, but he is the customer (to borrow a phrase from a security professional I know). What does that mean you ask? It means that as risk professionals we shouldn't take the easy way out. We shouldn't be afraid to show leaders/decision makers there is a better way. Deliver what they need to make an informed risk decision but educate them as to why the old ways aren't the best ways. We shouldn't be afraid to show them how "gut feelings" about risk can be transformed into quantitatively sound expressions of risk using the information at their disposal. Of course that also means that I need to continually challenge myself to improve as a risk professional. Sounds like a quantitative risk training and certification opportunity! :)