February 13, 2008
The rantings of Craig Chapman, IT Security Legend.
BG’s Ostrich Risk Management 101: A Case Study of Organisational Behaviour in Most Enterprises:
1. We don’t know if we’re being ripped off.
2. We don’t want to know if we’re being ripped off.
3. If we acknowledge there’s a problem, we’re obliged to do something about it.
4. If we acknowledge there’s a problem, we might get blamed for the problem occurring in the first place.
5. Don’t measure the problems, therefore, there are no problems.
6. If there’s no problems, we must all be doing a great job at preventing problems.
7. Lets all give ourselves a big pat on the back for preventing problems!
No problems!
BG.
Related Post:
Risk Management – Great in meetings, not so much in practice
It’s funny ’cause it’s true.
Yes indeed – sad but true BG. In my experience, this is the standard operating model for many organisations.
It kind of reminds me of the old Y2k scenario way back when. Did the nation not come to a standstill because the thousands of Y2k consultants did such a great job? Or was nothing ever going to happen anyway? I guess we’ll never know…
‘Big Galoot’,
if I may be sold bold as to say – you have a rather cynical outlook of the world.
As a Risk Management Consultant for a Global Big 4, rest assured that ‘most’ of the enterprises we encounter do not fit the behavioural mould you mentioned.
Whilst we very occasionally encounter clients from time to time that may have small elements of your so-called ‘Ostrich Risk Management 101′ theory, believe it or not, there are actually strict due dilligence and compliance laws in place that prevent much of the wild west cowboyish behaviour you have stated.
Whether it is the UK or even, god forbid, colonial wild west Australia, I very much doubt that your organisational behaviour theory apply to ‘most’ enterprises.
Oh no…not this Big 4 business again…..Has this become a running laugh now or are we really in a real world vs. fantasy world debate here? Which is which?
SM, you can find the answers if you truly know where to search for them. http://themiddleway.net/
(Thanks to Wade – reality check)
BG, what can I say that I haven’t said before…based upon our experience, yeah, scary but not far from the real truth.
Buddha here…
As Buddha, I hold all the copyright to all that buddhist philosophy stuff (posting above) quoting me at
http://themiddleway.net/
Ok, I might be dead, but if I were alive right now I would really punch them in the nose for this blatant theft of my (highly) intellectual property.
Don’t tell me to calm down, chill out, meditate and all that lah-de-dah, inner-self crap. I’m getting mad here, I call it ‘releasing my inner zen’.
See, sometimes a real good punch in the nose is all it takes to bring a real sense of serenity and equilibrium back to the world.
Bring back the biff,
Buddha.
Why is it that my postings seem attract all the loonies ?
[...] The facts are, that most organisations don’t worry, care or want to know that something has more than likely, (to a good probability) happened. Accountability scares people. Goto BG’s previous post. [...]
BG,
A google on “Ostrich Risk Management” doesn’t come up with enough for you not to claim this as your own. “ORM” could now become known as not Operational Risk Management but rather more aptly defined under your new acronym. Spread the word guys…
Sadly it is a more widely adopted and “successfully” implemented RM strategy than any other in the IT industry.
DD
[...] did not predict it at first….but seriously, ORM (Ostrich Risk Management) has taken on a life of it’s own. I have had so many emails promoting its success that we now [...]
@BG; I just wish it wasn’t so true
I’ve lost how many times I’ve heard this method being used for Security, and I’m not even an outsourced-consultant.
@DD; Thanks for the link
Still looking for some short term contract work in the Sec space, whilst plugging 
@Buddha; interesting calling copyright. Shouldn’t you be a creative commons / open / share-share-alike kinda guy? I’m sure you know, copyright stops growth and access to materials, and if you want something to grow, you don’t shoot yourself in the foot by preventing access.
Peace,
Wade
It’s pretty clear Craig Chapman isn’t very good at anything !