Dear fellow professionals,
It is no doubt that the world financial markets are in trouble. It also looks that it may cost a lot of money to 'stabilise' them... to the tune of at least $700bn (so the news reports say).
One of the causes of the credit crunch and the resulting market near-meltdown has been undoubtedly the inaccurate pricing of risk. With CDOs, sub-prime mortgages (what an euphemism!), other credit derivatives, the financial specialists have managed to disconnect the owner of a financial asset from the asset and its inherent risk. The longer the "risk chain" became, as mortgages, consumer loans and other debt obligations were packaged and repackaged, the more difficult it was to assess the risk of default and to rate these products.
As a result, many people did not know what they were really buying and hoped that the mostly "finger in the air" ratings given by some institutions to their own repackaged debt baskets were true. These models for rating the risk of such assets were mostly internal, i.e. created by the institutions inventing these complex products and had never been priced in an open market.
I believe that we will see more regulation in the market for such products and I also think new, tighter risk rating frameworks will emerge, for financial firms as well as for the products they sell.
I also think that, in order for us security professionals to come out of our relative niche and achieve bigger job mobility and, dare I say it, job satisfaction, we need to speak more the language of risk rather than the one of technology.
Yes, it is true that technology is never going away and, in fact, with hyperconnectivity engulfing us, the finance world will be even more dependent on technology. Things like network security, firewalls, authentication, access control will always be there and be very important, but we, as professionals, have to start billing ourselves, perhaps, as "technology risk" professionals instead.
Companies and financial institutions will be much more in tune with a language of managing risk now (financial, technological, human, etc) than with the complexity and the detail of the security measures needed. People make risk decisions and security trade-offs every day (should I cross the street? ..should I change my dentist? ..should I put my savings in this bank?) and our job would be easier if we speak a language they 'natively' understand.
So, the question for you out there is: do you buy this argument? Do you believe that we as professionals need to speak more about managing risk for organisations (and back it up with knowing which technology measures to employ in practice) rather than endlessly talk about complex security techie stuff or the latest algorithm / router / antivirus and so on?
More...
09-26-2008
