Risk management is an art, not a science. That is the contention of Andy Ellis, CSO of Akamai and a keynote speaker at RSA Conference 2013. How can psychology change one's approach to risk and security management?
It's a sea-change for security and risk leaders, Ellis says.
"Really, it's sort of like using judo - use your mind to move the business and be intelligent about what you're doing," he says, "and not just use brute force to manipulate the business, which is what we've done historically."
For Ellis, the transition started with the realization that, as a security leader, he was failing in his efforts to raise business executives' awareness of security risks.
"Often, my attempts to communicate how dangerous something might be didn't really work," he says. "What I was realizing is that when you try to give someone an example - 'Here's how bad what you're doing might be' - you haven't let them understand how you get to that. So, you sound sort of like Chicken Little."
Through study of psychology and risk, Ellis came to realize that the issue wasn't one of risk tolerance, but rather risk awareness. And so he now works to ensure that risks are communicated better and upfront, so they can be considered appropriately by leaders making business decisions.
"How do we make it so that security risk is part of the equation - that when someone is making a decision, they own the security risk and the awareness of it?" Ellis says. "And that doesn't always mean they'll do better things. But over the long run, we see them improving significantly."
In a pre-RSA Conference interview about his keynote topic, "Mind Over Matter: Managing Risk with Psychology Instead of Brute Force," Ellis discusses:
- What he's learned about the psychology of risk;
- How the concept changed his approach to security management;
- How to instill the approach in your organization.
Ellis is Akamai's chief security officer, responsible for overseeing the security architecture and compliance of the company's massive, globally distributed network. He is the designer and patentholder of Akamai's SSL acceleration network, as well as several of the critical technologies underpinning the company's Kona Security Solutions.
Ellis is at the forefront of Internet policy - as a speaker, blogger, member of the FCC CSRIC, supporting Akamai's CEO on the NIAC and NSTAC, and an advisory board member of HacKid.