Monthly Archives: February 2012

The anatomy of risk assessment: beneath the flesh

If you can recall, the prelude to this post applauded Thom Langford’s inventive approach to risk assessment, focusing on its clever analogy to the human body. We thought it decidedly creative, a style that can and should be used in risk management strategies. This blog, keeping in line with the lexicon used, will thus move on from the exterior to the interior: beneath the flesh so to speak.

Mr Langford, senior manager at Global Security Office, Sapient, explored risk management using body parts as a hook from which to peg various ideas. From the outset, he looked upon the feet as being the foundation of risk assessment, which, any lover of Pablo Neruda’s poetry will know, support the body, and as such, heart and soul.

The feet, he explained during his presentation, are equivalent to purpose. Everything stems from this, questions like what is it you’re doing, why are you doing it, what methodology do you plan to use and what is hoped to be achieved?

From thereon in, he went straight to the brain, polar opposites geographically, but metaphorically linked. This is where ideas begin to take shape – the setting of foundations. Planning and preparation is important, mapping the assessment and beginning to flesh out the questions you generated early on help give weight to your endeavour. As Mr Langford noted during the talk, this is all common knowledge, but it is worth repeating.

You see, without proper planning, you run the risk of a protracted and inefficient process of labour. Take heed from Alan Lakein, the self-help businesses author: “Time equals life, therefore waste your time and waste your life, or master your time and master your life.” Without a brain, we are the walking dead.

The eye – a favourite of Mr Langford – is a tribute to empiricism: it’s all about observation, right from the get go. Like a newborn child soaking up the new landscape of the world, those carrying out a risk assessment need to be greedy for detail and scrutinize every feature going. This isn’t to be mistaken for excessive fastidiousness, but a genuine ‘eye for detail’. It all helps to inform the final conclusions and recommendations.

The ears for us, are a fantastic instrument in risk assessment. Ironically, one of the highlights of the talk was the concept of silence. For example, ‘force’ a silence between yourself and the client when you’re not satisfied with their engagement. How? Well, consider the idea that humans have a penchant for filling in ‘the quiet’. Let a hushed atmosphere descend: nine times out of ten people will say something. It’s fascinating stuff.

In contrast, the mouth is a vessel in which the opposite strategy is deployed. Ask, ask, ask, or as Mr Langford says, ask the ‘stupid questions’. Why? Well, there are no stupid questions, and more importantly, this kind of diminishes the notion that you are there to simply tick boxes: you are actually there to deliver change. This is another brilliant analysis that helps increase the chance of unintended outcomes. The data might be harder to analyse – it’s qualitative after all – but its overriding benefit is its richness.

As the classic saying does decree in all its earnestness, follow your nose. Again, obvious stuff, but worthwhile in how you go about conducting business. For example, if everything is fantastic from organisation, rapport, to the cup of tea you get from your client, the chances are they have good risk management policies. If everything is contrary to this, well, then roll up your sleeves, this is going to get dirty.

We can bypass his reference to lungs, it’s tenuous, but as for hands, these are the ‘bread and butter’ of the game: accessing documents, opening doors, and unlocking computers. Nothing is off limits. Let your hands have liberty of exploration, because, you have to go with your gut – clever link even if we say so ourselves – because you, as an expert, know what feels right and what doesn’t.

Put all of this together and you not only get a fairly comprehensive, albeit non-textbook tract on how to perform a human risk assessment, but an authoritative guide to conducting an audit that produces focused outcomes. As Mr Langford concludes his presentation he mentions that risk assessment shouldn’t be an inconvenience, it should be collaborative, open and constructive, a piece of work that ends with both parties feeling that they got something beneficial out of the exercise. That’s the kind of world we’re striving for.


The anatomy of risk assessment: Prelude

When you’re lost for words, it is the past masters who show their perennial relevancy. Plato once said: “Human behaviour flows from three main sources: desire, emotion, and knowledge.”

We thought that a rather brilliant definition of what it is to be human, which is to say, the quality of existing that separates us from the rest of the animals. It is by no means an absolute description, but one which is fairly comprehensive. It its terse compose, it manages to say a lot in but a handful of words.

“I’m not going to talk about checklists, compliance standard or the things you must assess…you can all go out and buy books for that,” said Thom Langford, senior manager, Global Security Office, Sapient, as he opened his presentation at the latest RANT forum in London last month. Here he abandoned technical jargon in favour of something more human; a fitting embodiment of Plato’s succinct thoughts on humanism.

Entitled the Anatomy of a Risk Assessment, Mr Langford stuck to his guns, delivering a talk that was not conventional at all. It was a breath of fresh air, engaging and most of all, as an antithesis of the textbook approach – very perceptive in its scope. In using the human body as an analogy of risk assessment, he was able to articulate ideas, observations and suggestions in a dynamic way.

As a slight aside from the topic at hand, can we just say that this is an approach we really admire. There is a body of educational philosophy that concerns itself with the need for more creativity in academic life – from pre-school right through to adult learning – which leads to and engenders a much more engaging environment. Mr Langford was exemplary of this.

Anyway, the structure of the talk was based on the constituent parts of the human body. The association of the two – that is the cadaver and the risk management sector – is, we think, a new one. Who else has thought to analogise the feet to an audit’s purpose? Or for the eyes to be used as a way to describe the importance of being vigilant from as soon as a risk assessment begins?

For those of you involved in risk assessments, there’s a lot that can be derived from this presentation in terms of delivery. For example, let’s say you’re tasked with a new client and you’re brainstorming ideas as to the approach you’re going to take. We accept that in some instances you will have certain templates and structures in place that allow you to answer questions effectively and efficiently. Brilliant; we’re not knocking this, but pause for a moment and allow yourself a moment to think outside of the box. How else can you deliver the same high standards, but in a way that is more engaging for both you and your client? It doesn’t have to result in a clear cut answer – that might come later. The merit is in allowing yourself to be innovative.

There’s a video of the talk online, where you can see for yourself Mr Langford’s foray into the anatomy of this continuingly evolving branch of work, which is advised viewing. Complementing that will be the second part of this blog, which will, to lend a metaphor from the medical world, get beneath the flesh of some of the central ideas put across. In the meantime, we do hope you enjoy this thoroughly comprehensive and brilliant way of looking at risk assessment.

Big Four Information Consultancy roles for the taking

Defining a manager is a difficult thing. The Oxford English Dictionary describes it as being a “person responsible for controlling or administering an organisation and/or group of staff”. We wouldn’t disagree with that description, but it perhaps doesn’t tell the whole story.

We particularly like the quote from Frederick W Smith, founder, chairman, and chief executive officer of FedEx, who said: “A manager is not a person who can do the work better than his men; he is a person who can get his men to do the work better than he can.”

Not bad eh? Responsibility, of course, is inherent in this position, as is leadership. A manager is much more than just a chief; s/he is an integral cog that keeps things steady while simultaneously charging ahead into the unknown. Hard work and management go hand in hand but so too does success and a feeling of ownership.

There are a couple of management jobs that have popped up on our radar that we thought we would direct your way. They are both in risk assurance, one of the most dynamic and versatile industries going.

Both require a sound grasp of risk management, which they are able to modify to adapt to fit particular client briefs. As such, strategies that identify, assess, prioritise and solve risk problems are bespoke. Good managers know that no one solution fits every box.

As ever, these management positions demand a depth of skill and expertise to be able to take charge when hitting the ground running. Take the Risk Assurance Senior Manager position, the employee is looking for a candidate who not only has financial services experience, but is also capable of delivering complex engagements.

For the other role as a Risk Assurance Manager, what is desired is someone who can help identify clients who need help in developing their risk assessment plans, which involves establishing what these risks are, how to evaluate their level of threat, how to design controls to minimise their threat and how to put in place monitoring systems to ensure they do their job.

Even though he was speaking in the 19th century, Samuel Wilson, a US meat-packer whose name inspired the national personification of the country’s government – Uncle Sam – made a very astute comment.

“As population susceptibilities are better understood, we will be in a better position than we are in today to make informed decisions about risk management,” he said.

Many years on, a job in risk management is one of the most exciting around, with a body of knowledge to boot. Be part of the generation that takes it forward. Be a manager that matters.

The new orthodoxy: Bring your own device

Even the most cynical of us are susceptible to advertising and foolhardy followers of certain brands. We’d like to think we’re immune to this, that we’re individualistic, capricious and that we choose our own paths. No sir, not the case.

Take for example baked beans. Now we’re not one to product place, but Heinz Beanz is a really rather tasty variety of beans. Some of us swear by it, even if we’ve never tasted the alternatives. I guess it’s just human nature; we have an experience and that becomes the defacto expectation.

In much the same way, brand identity has permeated itself in the technology we use in a personal capacity. Traditionalists might swear by Dell (and Microsoft) while creative types option for the coolness of Apple (and Mac OS X) instead. Generalisations, yes, but the fidelity towards a name, product or company is true. We like what we like.

In an age typified by daily change, the biggest shake up in human activity has been the division between work and leisure time. The boundary has been blurred, bringing with it a shaky balance of both positives and negatives. A downside is working longer hours and eroding any sense of pure relaxation.  A positive is that of flexible working that allows us to spend more time at home, looking after children or carrying our errands that otherwise would have been impossible.

Lately, the concept of ‘bring your own device’ (BYOD) has begun to take on a life of its own as companies scrap previously longstanding ways of operating.  BYOD is, self explanatory: employees bring their own devices into the workplace and/or operate from them remotely. It is characterised by movement, and typically the devices are portable (laptops, netbooks, tablets and smartphones).

It’s a win-win for both employer and employee. Employee’s get to work from devices which they both like and are most efficient on – brand loyalty at its best. While the employer saves money on purchasing the technology, troubleshooting, repairs and having to update machinery and software on a fairly regular basis.

As great as it is – and we are supportive of this flexible style of working – there are inherent problems attached with BYOD. Principally, as those involved in our industry will attest to, the security issues are plenty. With a plethora of devices native to any given organisation, the ability to provide appropriate data protection and security in a uniformed way becomes a challenge.

Every device and operating system is not only distinct in itself, but they also come with their own divergent vulnerabilities and malware. This leads to a complex array of networks which are difficult to monitor and keep protected.

We’re just beginning to realise the problem with many businesses only now catching up to the problems that can arise – i.e. protecting the company’s network and data when employees need access from their privately owned devices.

Not to mention the issues that employees may have around designating their device memory to work, sacrificing monthly data allowance and  battery life.  Device tracking is also an issue because the the device can be location tracked by the company at any time.

One expert, Graeme Batsman, director of, has put forward an idea of an automated approach (this allows for port and device control, while being capable of remotely locking or deleting data). It’s a good idea, and a suitable start, but as BYOD becomes more commonplace, more solutions will need to arise. After all, the more we get used to enjoying working on our preferred technological machinery, the better our work productivity will become – businesses don’t want to lose out on that.

The attraction of contract working: Part Two

  Our last post was a sort of preamble to contract working, putting its arrival in the modern world as a way of working against a wider historical context, of how work patterns and behaviours, expectations and attitudes have changed as the world began to open up to one another. The continents of the planet may no longer be together as they once were – Pangaea (supercontinent) existed some 300 million years ago – but we are, as a species, more connected than ever before. All thanks to globalisation.

This blog will discuss the pros and cons of contract work – often described as fixed-term employment (worth knowing if some jobs are advertised as such – in more detail.

Before we go into that, just one more point about contract work: a contract will usually include a full brief of the work required, responsibilities, the period of time in which it is expected the job to be completed, how money is arranged (lump sum, in stages and expenses) and notable contact.


Let’s not waste any time hiding behind that subject matter that most people find uncomfortable bringing up: money. Contract workers, especially those in Information Security Roles, tend to have reasonably high day rates. However, it is worth noting that although such rates are sizeable, all self-employed people have to be aware that this includes “future taxes” payable after you’ve submitted your returns.

Flexibility is another major draw. Although specific contracts will have particular deadlines and requirements, in general, as in the case of being self-employed, contract workers can work to their own timetable. Equally, they can choose how much work they want to take up. You are, so to speak, your own boss.

Being a contract worker opens you up to a number of businesses and organisations and gets your name established. The more contracts an IT security professional does, the more people he gets to know, and likewise, employers are able to identify candidates they would like to hire again for future jobs. Hence, being a contract worker offers professionals an opportunity to network, albeit subtly. Talk about perks of the job!


There can be the assumption from outsiders looking in that contract work is a “swell gig”, and indeed it is, but, as any self-employed person can testify, it requires people to be superbly organised in the way they go about working.

For example, contracts are fixed, after which, you can find yourself without work. In full knowledge of this, contract workers have to plan ahead and secure work before a start date. This way of operating has to be consistent if professionals want to keep working (although naturally we assume you will factor in your own holidays).

You lose out on some of the benefits that can (i.e. not universal) that come with working with regular jobs – pensions, medical care, career progression. The lack of such things and its impact varies from individual to individual. The pros can, for example, far outweigh the cons.

And so there we are…contract work. It is as much a way of living as it is working. It’s not everyone’s cup of tea, but for those who swear by it, it can be a very rewarding and fun way to work. Isn’t that the dream?