Are government agencies putting their systems and data at risk by trying to apply the principles of risk management to cybersecurity? John Kindervag, Chief Evangelist at Illumio, thinks so.
Kindervag says the basic premise of risk management — that you can calculate the probability of a particular risk materializing — might be feasible in the financial sector, where analysts work with finite data sets. But in cybersecurity, the number of variables involved, if not infinite, is simply unknowable, making it impossible to quantify risks in any meaningful way.
“There’s no way to say there’s a 10% chance you’re going to get hacked, or 0% or 100%. There’s just no way to know that,” said Kindervag. “And what it causes people to do is to accept risks that they shouldn’t.”
Kindervag, who was a principal analyst at Forrester Research in 2010 and is credited with defining the concept of zero-trust security, recommends a new approach: danger management.
In this video interview, Kindervag explains the concept of danger management and how it can help agencies bring greater urgency to their cybersecurity efforts. Topics include:
- Building a strategy around protecting high-value assets
- Thinking in terms of mitigating threats, rather than accepting risks
- Applying danger management within the zero-trust framework
Leave a Reply
You must be logged in to post a comment.