Folktales and fables are ways to make sure we learn life’s essential lessons both easily and at an early age. And two of the ones that I think are most relevant to what we do as security professionals are The Boy Who Cried Wolf and Chicken Little.
Quick refreshers might be in order, so here we go:
In the first one, the boy is a shepherd who gets pretty bored sitting alone in the fields watching the sheep. To amuse himself, he cries “Wolf! Wolf!” at the top of his lungs, and all the villagers come to see what the matter is. After a few times of this, the villagers get tired of being the foil in the game, and ignore the boy. The last time, the wolf really does come, but the villagers think it’s a game, the wolf eats the sheep and, depending on the version, eats the boy as well.
Chicken Little is the story of a small chicken out for a walk on a fine day who happens to get hit on the head with an acorn as he passes under an oak tree. Looking around, he doesn’t notice the acorn, so surmises that the sky must be falling. He decides he needs to do his civic duty to tell the King. Along the way, he meets several other animals, generally of the fowl persuasion, and eventually they come upon one Mr. Foxy-woxy who claims to be hosting the King in his den. However, the den is far too small to admit the whole band at once, so he suggests they go in, one-by-one for an audience. Here again, there are alternative endings with varying levels of PC-ness, but in the general one I knew, Mr. Foxy-woxy eats them all for dinner, and there, of course is no King.
Actually, there’s quite a few lessons we need to have front-of-mind as we go about what we do, but the primary ones are:
- You only get a few chances to tell people things are going to happen that don’t. Don’t waste them, and make sure you can back up what you’re predicting.
- An acorn isn’t the same as the sky, so make sure you’ve put what you’re analyzing in the proper context. The King will only listen to the story of the sky falling so many times before you get the door shut in your face—that is, if you make it to the castle in the first place.
- Don’t just take everything you see, hear or read at face value. This goes beyond the “trust but verify” mantra we know and love, and it’s where some of the key practices of The Agile Security System™ work together to keep you safe.
Actually unpacking these and realizing the multitude of places they surface in security work can take some time and deeper thought, however. Sometimes they work together, and sometimes you see them standing alone—but the key dependence we have…
…is that ultimately, each one depends on something that’s well above our pay grade as a security professional to establish:
The organization’s risk appetite and risk tolerance.
Because if we don’t understand what these are, we’re going to be crying wolf a whole lot based on what seems to be catastrophic in our world, but might only be a minor blip in the worlds of the people we protect and enable.
Now, there are a number of ways to pluck this particular chicken, and some are better than others. And knowing which way you should be using for a particular situation isn’t always straightforward.
Fortunately, you’re in luck if this is something that is getting in the way of your own effectiveness or eroding your credibility with your customers—whether it’s about the risk ratings you produce or about the level and quality of the proof you have to back up your recommendations…
…because understanding the ins, the outs and the graceful evolution of doing risk assessments based on both your growing skill levels and the level of information at your disposal is EXACTLY what I’m going to be talking about in the upcoming May issue of the Security Sanity™ print newsletter.
If this is something you care about, the deadline to make sure you get it is running at you faster than a headless chicken being chased by Mr. Foxy-woxy, because at 11:59pm US/Eastern time on Thursday, this goose is cooked!
If you haven’t already, you can subscribe here:
Stay safe (and contextually relevant),
ast
—
Andrew S. Townley
Archistry Chief Executive
