In any case, the core of disagreement is over how we use the term "risk management", as shown in this comment:
what Rob doesn’t seem to understand is that post-incident risk management is kind of like causal analysis, but (hopefully) with science involved
I’ve never thought of incident analysis aka. casual analysis aka. failure analysis as part of risk management. Indeed, it’s the unhealthy obsession with incident analysis that is what’s wrong with cybersecurity.
Most people assume that risk management is about preventing bad things from happening. That’s not true. A "risk" could mean good or bad, and "management" means, well, managing risks, not eliminating them. As the Wikipedia article on risk management says, it’s not only about minimizing unfortunate events, but also maximizing opportunities.
That "maximizing opportunities" never comes up in cybersecurity risks management, which is why cybersecurity is so out of step with the rest of the company. If cybersecurity experts had their way, they wouldn’t let the website go live until they’ve made sure that it’s impossible for hackers to break in. But from the CEO’s perspective, that delays time-to-market: the risk that competitors come to market first is a bigger risk than hackers. When the CEO makes the website go live, even though you’ve warned him of obvious vulnerabilities, it means he understands risk management better than you do.
Everybody does incident analysis after a hacker breaks in. Nobody does incident analysis after the website was delayed because of cybersecurity concerns. Yet, from the CEO’s point of view, these are equal risks. The fact that cybersecurity focuses on one, but not the other, shows how out of touch our industry is.
Another way of defining "risk management" is "uncertainty management". If you wait until the incident is over, then you aren’t dealing with uncertainties anymore. The fascinating thing is to discuss what’s uncertain.
For example, as Alex points out, nobody trusts that TEPCO (the company operating the Fukushima power plan) is telling the truth. Alex says that means we can’t do risk management. I say the reverse: this is a great example where the government, businesses in the area, and average citizens have to make decisions based upon the uncertain information TEPCO gives them. They can’t wait until the incident is over -- they have to act now. Government policy makers have to take the information TEPCO gives them, make guesses about TEPCO’s honesty and competency, and make decisions, for example, how far from the plant people should be evacuated.
That’s risk management, not post-incident analysis.