Tail Risk - Two Truths and a Why
Getting started is often the hardest part. That is why icebreakers and facilitations exist. Anybody in cybersecurity long enough has seen and felt this. One could feel paralyzed and overwhelmed by the proliferation of code, network components, checklists, frameworks, alerts and regulations. The profession is downright intimidating. This doesn’t mean it’s hopeless. In situations like these, I try to remind myself not to make the perfect the enemy of the good. That is why we are beginning this blog series with two truths and a why.
The first truth, is that cybersecurity is a difficult problem in almost every way. There are technical, business, policy, social and behavioral difficulties. Chief Information Security Officer of In-Q-Tel, Dan Geer, writes that “There are three professions that beat their practitioners into a state of humility: farming, weather forecasting, and cyber security.” These are the kind of cheery observations that information security professionals are known for, and yet, I’m a long run optimist. Over my decade in the profession, I’ve witnessed cybersecurity go from being a novelty, to a regulatory burden, to a public relations crisis. If anything worries me, it is not that we cannot make progress, but that we will be collectively numbed to the lawsuits, negligence and onslaught of headlines.
The second truth, is that just because something is difficult, doesn’t mean it isn’t worth trying. Although we currently lack the knowledge of how to optimally prioritize, budget and allocate cybersecurity resources, that doesn’t mean it is a futile exercise. Progress is made in fits and starts. Organizations like Cyentia Institute, the Center for Cybersecurity at Columbia University’s Data Science Institute and the RAND Corporation are producing more and better research than ever before. As regulations emerge, business practices evolve and the talent pool grows, the return on investment will improve and get easier to assess.
Finally, the why? When I left the industry for graduate school, I chose to study business and public policy, despite having worked in cybersecurity. Although I took as many engineering and programming classes as I could, my main goal was to understand the incentives, mindset and landscape in which cybersecurity exists. Tail Risk grew out of a desire to price risk.
We believe in a future in which the value of cybersecurity is knowable and bought and sold accordingly. This future is already emerging as insurance companies, hedge funds, private equity firms and banks begin to make real financial decisions with cybersecurity in mind. That does not mean this future is predetermined. Bringing together technical expertise with business experience and public policy knowledge is a big task, and it will take all hands on deck. We would rather be topside in the tempest than in the captain’s quarters pretending there is no storm.