Once more today I find myself drawn into an interminable discussion over on the ISO27k Forum.
This time around, it's with a member who (as I see it) steadfastly refuses to remove his IT blinkers and acknowledge that - perhaps - there's more to information risk and security management than IT security, that he can't simply ignore the rest or claim/pretend that it's someone else's problem.
His little IT world defines his horizon, and everything beyond the edge is (to him) at once both unseen and scary.
And to be fair to him, I'm just the same. OK, so my blinkers don't say "IT" all over them but it's true I perceive the world in terms of information risks. I can't help it. It's how my brain works. I have something of an idea of what lies beyond that horizon, but nevertheless it's scary because that's not my domain of knowledge, experience and expertise. It's not my home turf. It makes me uncomfortable.
Take 'financial risk' for example. I know a tiny bit about return on investment, exchange rates, stock markets, money markets and so on ... but I'm well out of my depth when it comes to, say, futures and options. I thoroughly enjoyed reading Nick Leeson's book about his shenanigans that brought down the veritable British financial institution of Barings Bank but I freely admit that, despite his patient and eloquent description in the book, I didn't entirely understand the ins-and-outs of his fraud (nor indeed did the bank's managers and auditors, until it was too late!). Although the story sort of made sense at the time, I was struggling to understand and, now, I'd fall in a heap if I tried to recall and explain it.
Arguably there's a difference, though, between me and my rather naive, blinkered colleague on the ISO27k Forum. Specifically, I'm sufficiently self-aware to know my limits. If I wanted/needed to get into, say, financial risk, I'd seek out and rely on someone who's good at that stuff, someone with experience and reputation, probably qualifications too. To be crystal clear, even in outlining 'financial risk' above, I'm taking a punt. The terms are unfamiliar and awkward to me, the concepts vague and ill-defined in my little head, but I recognise and acknowledge that. That's the nub of it ...
... and in so describing the situation, I've yet again demonstrated my own myopic obsession with information risk, plus risk in general.
I appreciate the information risk associated with the limits of my knowledge and expertise, and I'm willing to address them. That's a product of my world-view. That I'm even blabbering on about it here is a further clue as to the narrowness of my perspective.
Your Myopia May Vary.