I'm no big fan of overly complex approaches to risk management, and recent economic events have made me even less so.

There was a great article in the Economist about a conference for the American Securitization Forum - the wonderful people that brought us all these complex debt products that are giving banks no end of bellyache. Ironically the conference was held in Las Vegas, and a wonderful quote came from hedge fund manager John Devaney, who said "I'd like to thank the market for dealing me a direct hit. As a trader if you don't get sucker-punched every once in a while, you don't understand what risk is."

Also, there were a few good articles last week about how money managers had retreated from the market because they'd lost faith in the ability to model risk effectively.

If only it were so easy for information risk professionals, who often protect far more than just money - we protect innovation, national security, and even human life in some cases. It's not quite so easy for us to take a direct hit.

Let's go back to 2001 and do a little math:

Huge IT contract + Politicians + Lobbyists + Soft IT market + Legions of government contractors + Newly created government agency + More politicians + Career civil servants

What does that make? A hugely expensive, difficult, political and organizational undertaking, and plenty of scope for fingerpointing -- and that's what we've got.

Full disclosure here: I was working for Unisys for the first three years of this contract, and only a non-US passport kept me from working on this engagement (and believe me I thanked my lucky stars every morning when I woke up that I wasn't).

I'm not a huge Unisys defender in general -- I saw plenty of gaffes from the sidelines, and like any large systems integrator Unisys has its fair share of inefficiencies and dead wood -- but Unisys is being accused of everything under the sun, from covering up the problems, to kicking puppies and being mean to its gradmother. I'm just not convinced anyone else would've done much better -- and has anyone noticed the alarming regularity with which government agencies blame their contractors compared to their commercial counterparts?

Investors Bank and Trust CSO Jeff Bardin wrote an interesting blog post in May about how companies "taken private" by private-equity firms were cutting back on audit and security staff now that they were no longer subject to Sarbanes-Oxley.

This got me thinking that perhaps the recent credit crunch might be good for us security people in a couple of ways. First of all, less credit means less cash available to finance these deals that endanger the security budget. More importantly though, businesses are going to be more attuned to how making risky business decisions can have far ranging effects, and before taking these decisions they should be more informed about how big those risks are. Heightened awareness of risk-reward principles can only be a good thing for a security guy who is able to talk about risks in business language, and draw parallels between what is happening in the marketplace with the way an organization takes decisions around security.

There's been a lot written about the deficiencies of DRM over the last couple of days, with some justification too. Recent efforts have been pretty shoddy, with very little effort devoted to allowing content creators to get true credit for their work and more to serve corporate interests. There's some pretty complex political wranglings to sort out here, between the content providers and hardware and software manufacturers. Does this mean the end of DRM? I doubt it.