What we can learn for the volcanic cloud for information security

I am one of the grounded people. Luckily for me, I would have had to fly out today and am now “stuck” at home. It is not so fortunate for the event organizer which has a significant amount of sessions he has to do on LiveMeeting now. On the other hand, maybe that this is the future for a lot of travels we do, as when I talk to customers on LiveMeeting, often they are fairly happy and it costs me 1.5 hours instead of 1.5 days and then the expense to be added.

However, this is not the reason for this post. When I look at what happens with the Volcanic ash, it is actually fairly scary to me. Governments, based on the assessment of the aerospace industry and the pilots, decided to close the different aerospaces due to safety reasons. And to be clear: The government’s job in this situation is the safety of the passengers. It seems to be completely true that this assessment is probably fairly cautious as there is not enough experience and data with such a situation and people who have to take this decision want to be on the safe side – and I want them to stay there as I will fly again when they open the airports… Airbus as an example has clear Flight Operations Briefing Notes on Volcanic Ash Awareness – the question is from which is the critical concentration – something we do not know. And now, the problem starts. Initially the decision was clear and “well taken” by all the different people – even the grounded passengers. But then the commercial factors come into play, which I definitely understand. It might well be a question of survival for some airlines. So, the politics as well as the businesses take part of this discussion and try to influence the authorities to remove the ban – here it gets dangerous in my opinion. It will be interesting to see where this leads but imagine the scenario where the government opens the aerospace and a plan crashes because of the volcanic ash…

Let’s take that to the business. Is this not a common scenario? We have the job to ensure the security of our company’s information but there are commercial as well as political issues to consider. Unfortunately (or fortunately), business has the power to overrule a decision taken by security based on their risk assessment. Most often, however, this decision is not live threatening – so the impact might not be as sever as with the airline industry at the moment. In order to overcome this problem, it leads me back to what I say very often: We have to bridge the gap between how we assess risk and the way “people” look at those risks. We have to find a common language and a joint understanding of the problem – something I think is not given with the volcano above.

So, most often – as with the volcano – it is more a communication problem than an engineering problem. Additionally it is a problem of too many people assessing risks they do not understand. I heard it very often from ordinary people that governments are overly cautious – stated by people who understand as much of flying a plane as I do, nothing.

If you take the learning for you as a security professional: You have to make sure you understand the risks as far as possible. Additionally you have to make sure the decision makers understand the risks and the consequences if the risk materializes – and they have to understand it in their own language.

Roger