Big Data, Analytics, Data Science & Information Risk

Who would have ever thought that a recruiter, hiring manager, or HR-related being writing a job description could create reputation risk? Well, as luck would have it, a tumblr site “Tech Companies That Only Hire Men” is maintaining a list of companies and their respective “gender biased” postings. While this is an amateur example, it highlights the power of the ease of access related to all of the following tasks: mining data, drawing inferences, and publishing content.

With all the buzz around Big Data, Analytics, Data Science, etc. this type of activity is exploding. And mind you, it’s not just within the walls of big institutions that were once the privileged few to afford the resources required to perform such work. The consumer-ization of such enterprise endeavors and techniques is gaining pace rapidly. For examples, just look around you – Coursera offers massive open online courses (MOOCs) on data science; Microsoft provides an easy-to-use online online functional programming tool, as well as a marketplace for data to go along with it.

What does this imply for information risk? Quite simply, the field is coming into sharper focus. Traditional notions and practices surrounding security and privacy are being challenged like never before. Virtually every living and non-living entity becomes a stakeholder in these debates, which means scope and complexity will grow exponentially. These are good developments. Overall, as uncomfortable or tenuous our predicaments may become in the near-term, my vision for the industry spells greater investment, better talent, and consequently more elegant outcomes. This is just the beginning.


Ideal risk management (video clip)

This TV commercial from ICICI Prudential Life Insurance Co. Ltd. caught my attention and keeps playing on my mind. The more I think about it, the more it resonates with some notion of ideal risk management. Words or phrases that come to mind while watching this 90s clip are Trust, Comfort, Safety, Assurance, Security, Protection, Always-On, There but Not Visible, Pervasive, Mitigation, and some others I am missing. I would like to believe that truly great risk managers (should) aspire to discharge their responsibilities without blowing their horn or making benefactors feel obliged.

P.S. The background jingle essentially translates into “They are Good People”. Oh, and one other thing, I am not associated with ICICI Prudential – this is a completely independent and voluntary expression and not a sponsored endorsement by any means.

Global cybersecurity round-up

The new year seems to have ushered in a slew of cybsersecurity efforts the world over. While there is plenty of debate around the motivations for the level of attention this topic is receiving, I believe most of it is warranted due to the converged nature of commerce, information, and society. 1’s and 0’s are leveling the playing field like never before and digital connectedness is giving rise to either (a) unexpected consequences that force institutions into action or (b) realization of virtual turfs that need to be claimed and protected like physical analogues. Here’s a summary:

(US) January 9 – Business Roundtable Trade Group calls for “More Intelligent, More Effective Cybersecurity Protection”

(India) January 11 – Government wants every piece of computer hardware to ship with a “Cyber Security Awareness Brochure”

(Singapore) January 14 – Parliament passes amendment to Computer Misuse Act increasing government’s preemptive options as well as consequences for non-compliance

(Australia) January 23 – Julia Gillard heralds a new national security strategy, including setting up of a new cyber security center

Risk of the early click

There has been a recent spate of premature earnings releases, thanks to what I’m going to call the “early click”. It is evident that even the world’s biggest and well-managed companies have not accounted for a risk with reasonably high likelihood in the technology space and significant impact in the financial space. Chances are, as the earnings release process moved from a purely manual set of tasks to an automated workflow, nuances relating to control were missed. The inadvertent mistakes result in some real and measurable impact, as in the case of Google, which lost more than $22 billion from its market capitalization due to the sudden drop in share price. So, what can or should companies do about this?

  • Authorization – guessing that most organizations have this in-place by virtue of allowing only designated individuals or third parties filing such releases or having the ability to “click” the necessary buttons
  • Authentication – this is the part that is probably missing and needs to be bolstered. To “click” is simple, fast, instantaneous. But, to validate it, is not. Build in a password interrupt, segregate it between 2 human beings, or time-delay its real-world impact

In hindsight, it’s amazing to observe that single individuals have the power to push out material information, with seemingly no other checks and balances. In addition to the above steps, organizations should continually “Assess” their current processes and consider “Advance Staging” to simulate the release process in a sandboxed environment. No doubt, there are a lot of things that need happen before updates hit the wire – continue those practices in a virtual space and have everything ready before that final click to the real world.

Risk Management in Bollywood?

According to this report of a study from my b-school (go IIM A!), the opening risks of a film in Bollywood can be managed through careful marketing budget allocation. While this seems obvious, Bharathan Kandaswamy and his students have been able to zone in on the correlation in tranches of various film budget sizes. So, if you’re thinking of producing a lean Bollywood flick with a budget of about $2 Million and no recognized stars, plan to spend 70-80% of that on marketing (!) for likely success during the opening weekend. And that doesn’t guarantee “hit” status in the mid-to-long term. For bigger budget films with known stars, the proportion of marketing spend for opening success drops significantly. Note to budding actors: once you attain star status, gear up to deliver promotional mileage too!

Career Risk of being a Risk Manager

This is a long, but essential read, especially for those of us in positions involving direct risk management responsibility. While it may be argued that every leader or senior executive is accountable for risk management and faces similar repercussions, the irony of potential career risk impact cannot be greater than those who own and manage such functions day-to-day. I’m referring to Chief Risk Officers, Chief Security Officers, Chief Information Security Officers, and their likes. To cut to the chase, this paragraph from the article sums up the point about managing career risk:

“For a few years, one of Drew’s friends had been talking to her about retiring. For that friend, it was yet another matter of risk calculation: If she was going to retire soon enough anyway, her friend advised, do it while she was still on top, before time stopped being on her side. Wait long enough, and someone else might decide for her. Or something might go wrong, as things do.”

(Urgent) Lessons from an epic hack

A recent incident account by Mat Honan in Wired’s Gadget Lab caught my attention. This is serious stuff in light of the prevalent and growing suite of online services we use today. While you may read the entire story here, I would like to provide a summary of the urgent lessons or takeaways from this. It’s simple stuff – make it part of your digital routine like you do with drinking x glasses of water in a day!


  • Break “daisy-chains” between important online accounts. In layman terms, set one strong password for your primary e-mail account and a different strong password for say, your online banking account. By doing so, a compromise of one account can prevent collateral damage, or compromise of another account
  • Take advantage of the strongest form of authentication that your online service provider offers. If your bank or your favorite search/e-mail provider makes a stronger authentication routine available, chances are that was a business decision backed by data and not just a nice-to-have cool feature. Use it
  • Back up your systems and data regularly. This is information security 101 and is stressed over and over again. If you do not have an operating system or computer with usable, automatic backups enabled, then at minimum, do a weekly copy-paste of your critical folders to a USB pen drive or similar media
  • Question the need to plunge into all the latest features. Please don’t misconstrue this as advocacy to stay behind the curve but many user interfaces these days simply entice you to swipe or click in agreement with enabling a new feature. Why offer yourself as a guinea pig? Let things burn-in then jump into the pool!
  • Create a confidential e-mail address. Reading Mat’s account, until businesses improve their customer identity and online security processes, it may be a good idea to maintain a non-publicized e-mail account for official/serious/non-social matters. Somewhat akin to different numbers for different purposes (home/work/cell)
  • Resist the temptation to build loyalties with a single ecosystem. This could be the seed for a greater debate but do you really have to put all your digital eggs in one online basket? Afford yourself redundancy, make it harder to connect the dots, encourage competition. Sum of parts is greater than the whole!