Do not panick. Nothing has changed. Our physical world is not flat. But the world of risk management is flat. That’s because we are taught to see only the outer shell of the reality. What we do not see is the depth of relationships between things. The curvature of our world.
What am I talking about? If you look at any risk management manual, you will know. How does it go? Identity assets, assign value, determine likelihood, prioritise risks. Repeat until satisfied. The standard canon that we all know about.
What is missing is the relationship between assets. Layers on layers of dependencies that we never check because we do not have to. So, the security of the system that depends on the security of the firewall. The firewall depends on the management centre. The centre depends on another firewalls which depends on a configuration file… Seemingly endless sequences of dependencies that we neither record nor consider.
This situation becomes particularly acute when we get to the level of truly complex systems, where everything depends on everything else. No matter what asset we identify, we have to consider all other assets as well. But we consider none, because it is not required. And because we have no tool for it.
If we want to see the true shape of the world, we need a dependency analysis tool. It is not impossible: every decent operating system comes with one. The only challenge is that we have to work with trust as well, as dependencies are often resolved through trust. If it seems like a good place for Trust Governance, it really is.