January 28th was the anniversary of the Space Shuttle Challenger disaster. The Rogers Commission detailed the official account of the disaster, laying bare all of the failures that lead to the loss of a shuttle and its crew. Officially known as The Report of the Presidential Commission on the Space Shuttle Challenger Accident - The Tragedy of Mission 51, the report is five volumes long and covers every possible angle starting with how NASA chose its vendor, to the psychological traps that plagued the decision making that lead to that fateful morning. There are many lessons to be learned in those five volumes and now, I am going to share the ones that made a great impact on my approach to risk management. The first is the lesson of overconfidence.
In the late 1970’s, NASA was assessing the likelihood and risk associated with the catastrophic loss of their new, reusable, orbiter. NASA commissioned a study where research showed that based on NASA’s prior launches there was the chance for a catastrophic failure approximately once every 24 launches. NASA, who was planning on using several shuttles with payloads to help pay for the program, decided that the number was too conservative. They then asked the United States Air Force (USAF) to re-perform the study. The USAF concluded that the likelihood was once every 52 launches.
In the end, NASA believed that because of the lessons they learned since the moon missions and the advances in technology, the true likelihood of an event was 1 in 100,000 launches. Think about that; it would be over 4100 years before there would be a catastrophic event. In the end, Challenger flew 10 missions before it’s catastrophic event and Colombia flew 28 missions before its catastrophic event, during reentry, after the loss of heat tiles during take off. During the life of a program that lasted 30 years, they lost two of five shuttles.
My esteemed colleagues Renee Murphy and Nick Hayes joined me in a fully collaborative, marathon evaluation of 19 of the most relevant GRC platform vendors; we diligently pored through vendor briefings, online demos, customer reference surveys and interviews, access to our own demo environment of each vendor’s product, and as per Forrester policy, multiple rounds of fact checking and review. The sheer amount of data we collected is incredible.
Let’s put it this way: social media and security don’t work together very well today. Marketing professionals who see social media as a vital communication channel view security as a nuisance, whereas Security pros view services like Facebook and Twitter as trivial pastimes that expose the business to enormous risk. The problem is, when it comes to social media, these two facets of the organization need to come to terms with each other – and this was clearly on display Tuesday when the Dow Jones briefly plummeted over 100 points due to false Tweets from AP’s hacked Twitter accounts that indicated President Obama had been injured by explosions at the White House.
This recent breach signifies two things: 1) the potentially damaging impact of social media is real and growing, and 2) companies today aren’t doing enough to mitigate the risks.
As social media becomes a legitimate source of news and information, the implications for inaccurate or inappropriate behavior continue to grow. Damaging or disparaging comments on Twitter (whether intended or not), can have a real impact on your business and the way customers view your company and brand. Companies need to do more to protect their organization from social media risk because:
If you had to go up one level in a train station, would you take the stairs or use the escalator? Most people would choose the escalator. But what if the staircase played musical notes like an interactive piano? This may change things, right? A couple of years ago, Volkswagen began sponsoring an initiative called The Fun Theory that tested the degree to which they could change people’s behavior for the better by introducing an element of fun. In one example, they found that by adding a unique element to the stairs – transforming it into an interactive piano – they were able to increase staircase use by 66%. You can watch the short video here.
You can apply this same principle to your training and awareness programs -- find your own piano staircase, and use it to begin guiding people to choose the right thing on their own. Chris and I have been working on a report that stresses the importance of organizational culture in the development of risk and compliance programs. Throughout the research process, we asked risk and compliance professionals and vendors in the space the same question: “How are you influencing and promoting positive behavior?”
You can create new technical controls and policies, and you can require employees to sign attestations all day, but these efforts have minimal value (or worse) when there’s no positive reinforcement. When compliance and risk management are considered obligatory tasks, rather than meaningful efforts that the company values, it diminishes the perceived importance of ethical behavior.