As a child, I loved to listen to my mother singing along with popular songs of a bygone era. One of her favorites was a Doris Day melody of the period called Que Sera Sera. For you youngsters who aren’t familiar with the tune, the opening lyrics were: “Que sera, sera / Whatever will be, will be / The future's not ours to see / Que sera, sera…” This whimsical and lighthearted song obviously provided my severely handicapped mother with a philosophical tactic to look at the uncertain future she and our family faced in the early 1960s. It echoed the advice I often received from my father that worry was simply paying interest on a debt you may never owe.
My parents worked hard to provide their five children with what they needed in spite of illness, relocation and job concerns for my father. They didn’t fear the future; instead, they focused on dealing with the problems at-hand, and passed that wisdom down to us by their stalwart example. We were taught that life was ten percent what happened to us, and ninety percent how we responded and managed the hand we were dealt.
Last week, I sat in a meeting with several company executives as they wrestled with the challenges of a major security breach. Their chief security wonk was taking a risk-avoidance stance and was defending his earlier decisions to prioritize various technology investments he had recommended in order to prevent what was now a known attack, and a subsequent loss of sensitive data. The breach had started by a compromise of a third-party system not even under his direct control. His face was red, and his defensive responses to questioning resulted in a stressful and ultimately ineffective meeting.
The risk avoidance approach has been decried for at least a decade and a half now. The industry standard has become risk management. They may appear similar, but they are most certainly not. Risk management recognizes the axiom that one must prevent what you can’t detect, and detect what you can’t prevent. That’s the fundamental principle driving the evolution from purely defensive capabilities to establishing the infrastructure necessary to “hunt” for threats in your systems and ensuring you have plans and procedures in place to limit the damage from attackers, internal threats, and natural disasters.
Risk management requires the professional to take a dispassionate look at all the vulnerabilities, assess threats, manage safeguards, and make reasoned recommendations. When bad things happen, it also provides a framework to effectively respond and deal with a crisis. It is certainly not the laissez faire attitude of Que Sera Sera, but it does recognize that we don’t control all the variables that will ultimately impact our business. In spite of all the media finger-wagging after the breaches at Target, Home Depot, and even the Office of Personnel Management, people still shop at Target and Home Depot, and OPM slogs onward. Life goes on. The future is not ours to see. We just need a strategy to deal with it.
