Welcome to the seventh 'Rumination' by John Salter - a newsletter sharing my reflections on what ought to have been known - and done - about risk, and its management. Previous copies are available for your reflection here.

If you have received this - and want to subscribe please follow this link. If you want to unsubscribe, please do so at the top or bottom of this note. If you think it worth forwarding to a friend - please do.

***

No Photos

3D057128-6399-4D4A-9719-1B1694CF6AC8

For a 3min 54sec version - click here.

What we prohibit - and why we prohibit it - is, or should be, based on considerations of sensitivities. Considerations which make us safer, stronger or more resilient. Ironically, the opposite is sometimes the case, and in seeking to be more secure we actually become more vulnerable.

FEMA452

Having conducted risk assessments of sensitive facilities across the globe, I have been familiar with policies of “no photos” for decades.

I remember assessing the vulnerability of a data centre for a large multinational client based in a faraway not to be named land. The cooling systems for the computers had been removed from the roof - and placed only a short grenade throw from the fence and adjacent roadway - to accommodate a panoramic vista for executives at their end of the week barbeques.

My vulnerability assessment report - like the child's ubiquitous homework - was "eaten by the dog"; my camera's memory card confiscated; and evidence of my consulting work was erased even to the extent of non payment.

"No photos / No paperwork" in another of its various forms.

***
Lost Baggage 2

I ought to have known better courtesy of an early indicator of this culture which I will call the “lost luggage fiasco” lesson. You may have already picked where this is going. I didn’t mind not having my luggage waiting on the carousel. I didn’t mind it taking more than three days to eventually turn up. I did mind my team member - who went to get the luggage and associated paperwork needed for insurance claims - being bullied to tears by refusal to hand over the luggage until he gave them all of my paperwork which was then torn up in front of him!

No paperwork - no foul.

***
TISN2
Power Lines collapsed

Our own domestic culture has different but similar weaknesses associated with the way we build a (false) sense of security.

An illustration that springs readily to mind is a gig I did for a critical infrastructure T.I.S.N. (Trusted Information Sharing Network) which commissioned me to facilitate a desktop exercise. I couldn’t access their risk assessment register as I was not cleared. So I built a credible scenario to bring down interdependent infrastructure and grind a capital city to a halt using only public domain sources to identify key vulnerabilities. Expert risk assessments had yet to identify this particular weakness and this gap in the risk register was too embarrassing for me to use to open the discussion exercise with. So, as a workaround, we had a ‘credible, respected stakeholder’ announce that a “realistic and feasible scenario had been identified which would have the following impacts ... prepare to explore what this means”. For me it raised some serious questions about relying on a closed set of secret expertise. Of saying albeit in a different way than the above examples “no photos”.

TISN
***
92A63BA9-587B-495A-BD3D-EFCEA99CE615

"Defensive / closed cultures" are not always a bad thing however it is always worth monitoring - and checking that when we apply this approach, it itself is supported by risk based considerations beyond the narrow lens of technocrats or people caught in an overly sensitive bubble.

Vulnerable infrastructure

In a world becoming more interconnected - and more interdependent - it is important that information management errors such as "no photos thinking" are not used to paper over - and in so doing, compound - vulnerabilities.

***

Our eProducts and eServices are available globally on fiverr as they are accessible; accountable; and affordable for clients. If you need more tailored consulting services please contact us for a conversation.

Three Services

I specialise in three tailored services - which will support you in meeting your due diligence needs

 
     
 
Powered by Mad Mimi®A GoDaddy® company