Managed the risks you experience, not the risk you perceive (or read about).
What you call it should drive how you fix it, or; Understand what it is, call it what it is, and fix THAT!
Understand your risks and know when they have no revenue stream to offset them but are caused or created by another entity that does.
Optimize risk-adjusted return.
On "Identity" and Data Risk
There is no such thing as “identity theft,” we have a problem with impersonation.
We are who our mothers know us to be, not the names and serial numbers issued to us by governments, institutions, and vendors.
Carbon-based life-forms (or carbon-based ape-descendants) = Humans.
KYC does not mean you know your customer; it means you subjected an applicant to a de-minimus process so you can claim compliance with an ineffective and arcane law.
“Dave” = The weakest link in any ecosystem of security. Dave is the human factor.
“Identity” tech is failing to ever-higher standards and at greater scale, for a higher cost, with institutionalized consequences. Security tech is also failing; identity tech could solve security tech problems.
The gold standard lock on the door is worthless if we don’t know to whom we’re giving the gold-standard key!
Digital identity implies and assumes certainty, yet purveyors and advocates of it rely heavily on a risk-based data consistency model to underpin foundational identities.
When seat belts were justified against the cost of medical and legal consequences of accidents, the remedy was a relatively simple matter of future deployment. Fixing the polluted data upon which the current commercial identity model relies is an unquantifiable and impossible task. This is threat to banks and driving to the same insignificance plaguing governments in withering away into insignificance.
We’ve been cavalier at scale about data accuracy, and ambivalent to consequences.
Credit management thinking is poisoning identity risk control.
Vendors rooted in credit control are reinforcing the myths and legends of current flawed Identity thinking.
There’s an awful lot of money to made getting identity technology from 1979 to 2009, but what’s good enough for 2009 isn't good enough for 2019.
We're addicted to “solutions” that pay, not solutions that solve.
Shareholders’ interests are not aligned with stakeholders interests; especially when the stakeholders are the general public. Hence the booming business in pitchfork democracy.
Funded adequacy trumps unfunded perfection.
People don’t want healthcare; they want health! They don’t want cybersecurity; they want secure-cyber! We create lifetime dependencies on prescription medications instead of cures and vaccines, and unending subscriptions to cybersecurity solutions that don’t quite solve!
Always assume your adversaries are at least as competent as the least competent of your team. Hire accordingly.
On Organization and Hiring
Organize around your risk, don’t back your risks into your organization.
Your adversaries will be at least as dedicated as the least dedicated of your team. Hire accordingly.
Understand the risk posed by the opportunist, vs. the organized bad actors. Plan accordingly.
The organized bad actors will be better equipped than you think. Plan accordingly
Always remember your adversaries are prepared for "persistent engagement."
On Compliance and Regulation
We’re creating more complex solutions to mitigate the regulatory risks of fines and penalties, and not addressing the underlying risks driving reactive regulation. This undermines the reputation of government and makes good governance harder.
Why settle for legal compliance when we could solve the problem? Or why comply when you can solve? Justifying bureaucrats is inadequate justification.
Fines for fiduciary malfeasance should be proportional to wealth, personal, and painful.
We have become aggressively indifferent (to demonstrated failure).
Like a turnstile in a desert (to describe futile controls).
If the janitor has the answer, ask the janitor! (On getting out of the echo chamber of like-minded thinkers).
If you don’t want to wear the seat belt, one can hardly complain about going through the windshield.
“I'm a risk manager. I'm not paid for happy thoughts."