A little while back I was talking with my six year old, and said six year old asked me "What is risk?". I realized I didn't have an answer that was one or two sentences. In fact, I didn't have an answer that I thought would really get the idea across, though after going through several tries I think I got the idea across. The hardest part was finding a common frame of reference to build on. And yes, I was a bit dismayed that I didn't have one or two sentences to communicate an idea that is a basic part of Information Security to someone who didn't know anything about it.

What this episode made me realize (again) is that we, as security professionals, usually have a very different way of looking at things than the people we work with, both "business" people and IT people. This difference can be hard to detect - for example, as adults we all know what 'risk' means. Or do we? Overall, I think the majority of people will have roughly the same idea for the word 'risk', though I believe each person's meaning will be colored by their own experiences and observations. When it comes to clearly understanding a particular set of "risks", this is where I think our different viewpoints (security, IT, "business") result in very different understandings of the "risks".

I've seen this disparity of cultural viewpoint a number of times, and seen people struggle with it as they try to understand each other and move forward. Sometimes it takes awhile for them understanding they have a communication failure (vs. "so and so is just {"an idiot", "paranoid", "YOUR_FAVORITE_LABEL_HERE"}"), sometimes they don't. When they do make the realization, and I mean really make it, when they get that the other people are looking at the situation in a completely different way, I see them go through what I did in trying to explain risk to a person who has no real experience in it - trying to find a common frame of reference so they can build up a real understanding. Over and over again I've seen this be quite challenging, and where its been successful two of the common threads have been people listening to each other and trying to see the situation from the other person's point of view. Its not easy to twist our brains around to a different way of thinking, yet every time I see people do it, I see success. What has been (or was devolving into) an acrimonious relationship becomes one of trust and mutual respect, which then becomes a highly productive one. As well, both sides usually learn from the experience, both what and how the other people do and they learn a bit more about themselves and what they do and how they do it.

Overall lesson? Listen when the uninitiated ask questions, you might just find something useful and interesting in them.

Right now, there's an unpleasant bug going around. No, not a computer virus, a human one. The first symptom is a blinding headache - literally blinding, people who get it say they weren't able to read for a few days their heads hurt so bad, or they can't move their head without excruciating pain. I've got the bug too, so far I can still focus my eyes most of the time, but I'm not getting any real work done. I did get some stuff done yesterday because it needed to be finished, but I went through it slowly and double- and triple- checked everything I did. I'd have vastly preferred to given the tasks to someone else to finish and gone back to bed. Well, really I'd vastly prefer to not have the cold/flu, but that plan isn't working out so well.
When we build mission critical systems, we build in redundancy. A lot of it. We build systems so that they can handle multiple points of failure. We pay for vendor support so that if a critical component goes down, it is fixed or replaced within a certain amount of time. All of this costs real money, and we spend it to manage the risks inherent in the components of the overall system.
What about the people who run the systems? How good is the redundancy in the people involved? Are they cross trained to handle different failure types? If you have someone out sick (or worse, to use the standard quote, if they get hit by a bus), how well can your organization handle that type of failure?
With the pace of modern business, especially in the technology sector, business tends to not to have quality human redundancy. People are expensive, and so businesses tend to give them tasks that aim for the bottom line, not ones that don't directly or obviously have a return. The problem (as you know far to well if you're in the infosec business) is that a failure in the human side of the business can be far more damaging that a failure in a piece of technology.

Redundancy is a type of insurance to mitigate risk, do you have it?