Two weeks ago Dr. Alexander Pasik, CIO of IEEE, posited that businesses would be more inclined to use cloud services if service providers carried insurance against data breaches. I could not disagree more. I do not disagree that providers (cloud-based and internal) need to pro-actively manage the operational (security, availability, and scalability) risks to their computing platforms. What I disagree with is the use of insurance to do this.
The very definition of risk management is selection of the right strategy based on the nature of the risk you are facing. In general, there are four different strategies to manage risk:
- Avoidance: Reducing or eliminating the chance that a risk will occur. An everyday life example of this is driving carefully to avoid an accident.
- Mitigation: Reducing the damage that a risk will cause if it occurs. When you wear a seat belt in your car you are mitigating accident risk.
- Transfer: Moving fungible damage from a risk to a third-party. Buying automobile insurance to pay accident-related bills is a use of risk transfer.
- Acceptance: Actively deciding to accept the consequences of a risk, if it occurs. Those who drive over the speed limit are accepting the risk of getting a ticket.
Use of insurance – a risk transfer strategy – is the wrong approach to manage the operational risks of computing (cloud or on-premise). Why? Because techniques like these only transfer the fungible portion of the risk to a third party. Unfortunately, much of the damage a risk can cause is not fungible. As a result, risk transfer strategies often fail to sufficiently manage risk, creating a false sense of risk security for those who rely on them.