A Risk Based Approach
In the movie “Under Siege 2″ (not a great movie I know) their is a scene where the lead bad guy asked one of his subordinates if Steven Segal’s character is dead, the subordinate replies “Yes he’s dead”. The lead bad guy replies “Did you see the body”, the subordinate replies “No, I assumed . . . . . . “, the lead bad guy interrupts and says “Assumption is The Muther of all F*&#Up’s”. Later as the movie goes on Segal knocks off the bad guys one by one and ultimately foils their plans.
The moral of the story being simple, DON’T EVER ASSUME!
After I watched this movie years ago, I sat down and thought about the things in my life, both personally and professionally that have not gone as I had planned and/or blown up in my face, I quickly realized that the vast majority of them were caused by an assumption I made that didn’t turn out to be true. Now in my defense I can say as I have gotten older that I try to narrow my assumptions to ones that seem to be no brainers, but even those things many times have blowup.
Making assumptions is a human trait and required to move through the many decisions that we must deal with on a daily basis. However, their is a process one should apply in determining when to make an assumption and on managing the risks involved when making these assumptions.
- Impact Analysis; The most important thing to first determine is the impact of the assumption you made not coming true. Its not a question of the likelihood of the bomb going off, its the damage created if it does. You need to define and understand what the impact of the assumption not being correct.
… - Incident Response Plan; If the impact is critical, can cause irreparable damage, or will cause an unpredictable domino affect, you need to identify this and you need to have 2-3 backup plans documented and ready. One thing that causes me allot of frustration is not when someone comes to me telling me XYZ didn’t work out as planned. Its when I ask them what contingency plans or at least ideas they have to deal with the situation and they respond “I Don’t Know” or “I Don’t Have Any”.
I guess the moral of the story is not to be a glass half empty person, but to understand that when making assumptions, think things through carefully and always apply a risk based approach to everything . . . . . . . . . . . . including “Assumptions”!
Fighting & Scratching For Security Controls
Project Management for Info-sec Professionals
The Never Ending Story
How I Communicate PCI Awareness
Maybe The Bad Guys Wont See Us