What the Titanic can teach us about cyber risk

Any company that has been around long enough will have stories that define or explain its culture or purpose. When I was CISO at Willis Towers Watson, one of those stories was how Willis Faber arranged the insurance for the Titanic. The risk of launching such a ship would have been too much for one company to take. Yet the ￡1m of cover arranged for her (which would be about ￡100m now) cost just ￡7,500, with the risk shared between many Lloyds syndicates.

Controls mattered. Part of the discussions with insurers would have been the planned use of innovative new communications technology - tech that ultimately provided an early notice when the incident occurred and allowed for a prompt response.

Had it not been possible to plan for these risks, the Titanic and ships like her would never have been built. Had the insurance claim not been paid, then added to the loss of life would have been many financial burdens - including the almost certain loss of the company operating the ship, the White Star Line, and the jobs and economic activity that came with it. However, the insurance was paid within 30 days and the White Star Line survived, later merging with Cunard.

As we look back on a disaster 110 years later, it's worth remembering one simple fact that insurers implicitly appreciate but which cyber security practitioners rarely truly understand:

Risk management is not about stopping bad things from happening.

Rather it's about enabling great things to happen that otherwise could not. It's about making innovation possible. It's about making the future better and helping people and companies to be more successful. It's about allowing risks to be taken that can result in progress. In short, it's about finding a good way to say yes, when others are saying no.

Whether the early tea clippers and the Titanic, or ships being launched into space, the developments that made the way we live today possible would not have happened without risk managers finding ways to say 'yes'.

And this includes the digital infrastructure we rely on today, from iPhones to the internet, from cables to cloud computing. Like it or not, these developments were only possible because instead of just saying "isn't this too risky", someone asked "how do we do this successfully, sustainably, and responsibly". A boring question on the face of it. But one we can't live without.

And one we should not forget.

Like all good risk management, good cyber security is about finding the best way to say yes.