(The following was written for the upcoming NESCO Energy Sector Cyber Security Risk Management Town Hall program book.)

I’ve seen people fly, I’ve seen birds fly, I’ve seen a horse fly, I’ve even seen a house fly, but I’ve never seen an organization fly. And, as silly as it might seem, this really does have significant implications for managing cyber risk – especially when we look incredulously at the many public compromises and wonder “why does it keep happening?”.

A good way of approaching that question is to look at where cyber risk management is “succeeding”. Succeeding? Yes! Cyber risk is, in fact, being managed – and quite well! If you doubt this, you might need to ask yourself important questions like “Which risks are being managed?” and, more importantly, “Which risks to *whom*?”

What I mean to say is that, while organizations can have an effect on the world around them, they can’t actually be seen or touched. They’re not tangible and they can’t…”fly”. Instead, they are the conceptual sum of the many varied decisions of individual people. These conceptual sums are inanimate; they cannot – and do not –feel risk. Instead, it is their executives, owners, employees, and customers who feel risk. Their soft squishy human hopes, dreams, passions, fears, biases, moods, and biochemistries ultimately drive organizational “risk tolerance” and we should never forget it. Here, it’s crucial to understand that people almost exclusively put risks to themselves ahead of all others (including an organization’s).

So, then, if the “collective” risks to individuals do trump all else, where do we look for ownership and resolution?

Well, some would say “users”, but do “users” (or “individual performers”) care more about meeting their boss’s expectations or saving the intangible organization from invisible adversaries and hidden costs without direction? Probably the former.

Further, while “the bosses” who set these expectations might see that the cyber problem exists, their primary risks resolve around meeting their own senior leadership’s expectations as well.

Ok, but isn’t IT Security key to cyber risk management? Not really. IT Security, like any other group, must align themselves with their senior leaders’ and executives’ priorities. Without that alignment they hold no sway or effect.

So, then, it’s on Executives. Senior leaders, what drives your risk appetites?

I ask because cyber risk management is a hard problem. Aren’t you safest if you follow best practices and “buy Cisco”? Ultimately, if you do and your organization gets compromised, what happens to you? Most likely very little – you did your best after all. Is it even in your best interest, then, to know cyber is a hard problem? If you’re aware that best practices have been failing like communism, aren’t you then obligated to come up with solutions of your own? Wow. No way. It’s best to believe the hype; best to buy Cisco; best to keep transferring the risk.

Intentional ignorance (or lack of “awareness”) isn’t just bliss, it also reduces risk to those people directing organizations and dictating the priorities of their human building blocks.