Why I Don't Like CRISC, Day Two
Yesterday, I offered up a little challenge to suggest that we aren’t ready for a certification around understanding information risk. Today I want to mention why I think this CRISCy stuff is dangerous.
What if how we’re approaching the subject is wrong? What if it’s mostly wrong and horribly expensive?
I’m going to offer that we’re still too early on to know the answers to these questions (an offer that if correct, would also serve to prove my point yesterday about CRISC). But if it turns out that we are doing things incorrectly (and really, what’s the probability that we are doing risk management correctly) – does something like CRISC make it easier or more difficult to change to something more effective?
Obviously, you don’t have to have a degree in Organizational Behavior to identify the problem here. If our approach to risk management is wrong, then CRISC is only going to serve to ensure that we are set in our incorrect ways.
Now where this should *really* upset you, my dear reader, is if you subscribe to various theories about how sciences progress. If you believe that sciences progress by sporadic, somewhat instantaneous little revolutions – then we’re totally screwing ourselves by creating a bureaucracy that makes it more difficult for the next revolution to take place. And believe me, as I’ve found out over the past 4 years, creating that revolution in risk management is hard enough already.