In the wake of a Federal judge’s ruling that the United States’ National Security Agency probably acted unconstitutionally by accumulating huge volumes of call records, it is worth reviewing how telecommunications became the locus of the greatest privacy scandal in human history. This month’s New Yorker includes a detailed article explaining how the US government approved, and continues to justify, the gathering of all phone records; see here. The issues and failures are recognizable to anyone engaged with setting and maintaining limits on how human beings can use (and abuse) technology to accumulate and interrogate large volumes of potentially sensitive data.
To my mind, the story also tells us why so much telco risk management ends up becoming a sideshow. The unfortunate tendency is to focus on minor operational flaws that various parts of middle management could and should be dealing with already. This distracts management attention from much more significant risks that demand clear thinking from the company’s top decision-makers. As noted previously on talkRA, when asked about dangers relating to use of electronic communications, social media, protecting privacy and similar topics, many risk managers will typically respond with bland mutterings about why they matter, without suggesting they will do much about it. However, they will not raise the connections between topics like lax internal attitudes to customer data, and the more expansive risks that customer data may be attained wholesale, for reasons that customers would passionately object to.
Blaming the government is scant compensation, if the telco suffers because their customers fear being spied upon. Businesses like Google and Microsoft have actively distanced themselves from the actions of the US government, for fear that their businesses have been damaged. The scandal has led some private businesses to withdraw their communication services. And yet, if you believe the rubbish spouted by some people, now is the time to ‘educate’ senior execs about ‘all’ risks – which means telling them about ‘revenue loss from incorrect bills’ and ‘PR problems traced back to operational mistakes’. In other words, inferior middle managers should draw the attention of senior execs away from really big risks, towards relatively small risks, in order to plead for more money for more software to highlight the mistakes made by… inferior middle management.
Maybe the fault is with me. If asked my opinion, the PR problems caused by operational glitches will always be smaller than a PR problem caused by a government obtaining all of the telco’s data in order to track the behaviour of all of its customers. But I am sure that cVidya can sell you a TMF-approved ‘risk model’ written by ‘vendor and carrier experts’ which reaches the opposite conclusion. After all, we are talking about ‘experts’ in the field of risk management… ‘experts’ who learned everything they know about risk management by searching for incorrect bills and highlighting operational mistakes.
In part, I am being boring. cVidya has always subordinated every telco priority to cVidya’s priority of pushing more and more software, although the trend is to transform the people who use the software into button-pressing chimps. But there is another important, and straightforward explanation for why some telco risk managers adopt a Janus-like attitude to risk, obsessing about the trivial whilst blind to the worst risks. Risk managers prefer risks they can manage. If they are on the middle rung of the management ladder, they exaggerate the importance of the risks they can do something about, and play down the significance of the risks that sit above their pay scale. So moaning and bitching about other middle managers becomes more productive than calculating the impact and suggesting responses to really major risks. As a paradoxical consequence, more management time and effort is spent on methodically compiling data on smaller risks than for the largest risks, further skewing perceptions about the risks facing the business.
When it comes to a topic like maintaining the integrity of data and ensuring data is not misused, there is no convenient dividing line between where the small risks end, and the large risks start. The abuse of one person’s data is a bad thing. The abuse of everybody’s data is also a bad thing. It makes no sense to try to gerrymander ‘risk models’ so middle managers can implement controls and issue policies meant to prevent the former, whilst they shrug their shoulders and look at their feet when asked about the latter. That is not managing risk. That is wilfully ignoring risk. The irony here is that there are more jobs to be had, and more software to be sold, when tackling many small risks, than from dealing with the few really big priorities.
Risk managers should also manage the risk to their own careers. Telco risk managers might want to learn a lesson from their cousins who managed risk for banks. They did themselves no favours, telling the world they had a lot of fancy risk models. The vacuousness of their promises were made abundantly clear in 2008, and the reputation of the financial sector may never recover.
Even if cosying up to government is generally seen to be an advantageous move, in countries like the USA the government will change more frequently than the hopes and expectations of the general public. President Obama oversaw and approved the perpetuation of the NSA’s borderline illegal programs. James Clapper, Director of National Intelligence, holds on to his job, despite his baldfaced lies to Congress about the extent to which calls were monitored. But both men will move on, sooner or later. Their replacements may not be too favourable to big businesses that eagerly assisted the big brothers within big government. Senator Rand Paul, a front-runner for the Republican Party’s 2016 Presidential nomination, is gaining a lot of support for his crusade against government spying. So real risk management also involves calculating the consequences of being on the right side of the current government, but the wrong side of the next one. That, unfortunately, is the kind of outward-looking, forward-looking risk calculation ignored by so-called ‘risk models’ which claim to cover ‘all’ the risks.
Instead of ending 2013 by talking about the recurring campaign of obfuscation and misdirection led by some so-called risk ‘experts’, let us finish on a positive note by looking to the future, and listening to Rand Paul. Here he explains how he wants the law to do a better job of protecting personal information. Real risk managers will understand why their businesses are better off when such laws are treated with the respect they deserve.