Mythological dice, Texas hold 'em and risk leadership

It’s amazing to think that the Greeks, prodigious contributors to math, science, logic, law, architecture, rhetoric, philosophy – you name it – didn’t know much about risk. Sure, Greek mythology begins with Zeus, Poseidon and Hades divvying up the universe in a game of dice. But they never employed risk management as a methodology to take the future into their own hands.

As Peter Bernstein writes in his 1996 bestseller Against The Gods: The Remarkable Story of Risk, “Despite the emphasis that the Greeks placed on theory, they had little interest in applying it to any kind of technology that would have changed their views of the manageability of the future.” They left the future to the winds.

It took until the Renaissance and Protestant Reformation, argues Bernstein, before people thought of the future as more than a mere matter of luck or predetermination. Today’s understanding of risk management emerged from the work on probability theory of three 17th century Frenchmen: Blaise Pascal, Pierre de Fermat and the Chevalier de Mere. Then two Brits, John Graunt and Edmund Halley, developed the first actuarial tables, and a legitimate domain of study was born.

Risk management as a corporate discipline emerged after the Second World War, about the same time that corporations began to add a discrete security function. Over the years, risk management has grown into a strategic business imperative, as witnessed by the prominence of such organizations as the World Economic Forum (which releases an annual risk report) and the broad adoption of enterprise risk management frameworks, such as COSO and ISO 31000. Security doesn’t always fare as well.

It’s time for security professionals to redefine themselves as risk management professionals and take their place among risk leaders.

Yes, the corporate world is overflowing with people calling themselves risk management professionals: attorneys, auditors, actuaries, facilities managers, financial officers, operations personnel, marketing managers and so on. But how many have truly mastered risk and can readily apply its principles in their environment?

Not many. There’s plenty of room for security professionals to be risk leaders in a world overflowing with uncertainty.

And there’s no shortage of material or demand. Coronavirus, the pandemic-driven devastation to industries including aviation and hospitality, a global recession bordering on depression, rioting and civil disobedience, changing climate patterns, nation-state cyberwarfare, water scarcity, rampant cyberattacks, political polarization, institutionalized economic espionage... The list of chronic and acute risk elements goes on and on.

But how can security professionals best develop a risk mindset based on probability and rigor rather than intuition and emotion?

Texas Hold ‘Em players may be the best models. As professional poker player and corporate consultant Annie Duke writes in “Thinking in Bets: Making Smarter Decisions When You Don’t Have All the Facts,” “Poker players have to make multiple decisions with significant financial consequences in a compressed time frame, and do it in a way that lassoes their reflexive minds to align with their long-term goals.” She encourages readers to think of all decisions as bets, with something at stake. She might have security professionals ask: What are the consequences of deploying an office patrol versus maintaining stationary posts? Is the protection provided by multifactor access control authentication worth the staff inconvenience? What does a trendy blockchain solution offer that a vanilla distributed database doesn’t?

Long-held beliefs often dictate how we make decisions (video surveillance deters crime, so let’s install an enterprise-wide system – or does it?), and we usually don’t vet those beliefs. Duke suggests “taking an inventory of the evidence that informed us,” by asking questions such as: Where did I get this information? What is the quality of my sources? Is the information up to date? And what are plausible alternatives to my conclusions? Moreover, instead of thinking about the future from the present, effective risk managers look back from a successful future and figure out how they got there, a process known as backcasting.

You’ve probably committed to learning how your employer’s business operates and how you can support it, and you may well be burnishing your communication and emotional intelligence skills. Understanding and dealing with risk is yet another critical component of security leadership, a step that will enshrine you as an organizational risk leader. And while you don’t have to learn ancient Greek to get there, a little poker know-how doesn’t hurt.

Michael Gips, JD, CPP is Principal of Global Insights in Professional Security and Coauthor of the NCRI report The Future of Disinformation Operations and the Coming War on Brands.