Cool As McCumber: Feeling Risky?

As I mature in both my career and life, I have found myself spending a good deal of time looking at retirement planning tools. There are numerous online sites that offer to help you estimate the amount of money you’ll need to retire, with additional planning capabilities that allow you to establish a plan to meet that financial goal. There are public seminars offered by financial planners, brick-and-mortar offices, and telephone-based groups associated with insurance companies. Seemingly, everywhere you turn, there is someone offering advice.

As I was driving into the office last week listening to my local news station, a radio sponsor was claiming the first rule of retirement planning was determining how much money you would need in retirement. His thesis was that once this number was ascertained, you could design a savings and investment program to target that number for a retirement age you specify. If you came to his seminar, you’d learn how to perform this relatively simple mathematical calculation.

Almost all these retirement programs and calculators center on a yearly income stream derived from your current income. The estimate they provide is usually anywhere between 75% and 125% based on your preferred lifestyle. One calculation I ran said I was waaaay behind in my retirement planning because by the time I was 94, I wouldn’t have a $495,000 income for that year. Seriously?

As a risk professional, I know this type of risk planning can be misleading. The most significant metric isn’t how much you’ll need per annum in your nineties; it’s having a solid idea of when you’ll likely die. You might think this just as odd as the straight-line calculations, but bear with me.

My father died before seeing 60 years, my uncle succumbed at 58, and my sister passed at a young 51 years. You can see where my family history would influence a modified retirement scheme. I try to live somewhere between running around YOLO-ing like a fool, and investing much of my salary in an overly-prudent savings plan. I want to ensure my family is financially solvent in the event of an untimely death, but also make it a point to live each day as a gift, making it a point to seek out adventures and invest in good times.

For security and risk professionals, the lesson is the same. Your organizational risk tolerance isn’t simply a function of standardized formulae and straight-line risk/reward analytical functions. In order to be truly effective, you have to find a way to incorporate unique organizational metrics into your proposals. Risk is tied to organizational objectives that you need to help define. Neither industry best practices nor knee-jerk responses to events are sufficient. Standards provide us a solid guide, but it’s up to us to determine specifically what recommendations are best for the organizations and decision-makers we support.


John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail