Brakes, Risk Tolerance, and Zero Trust
Key Points
- Brakes let you drive fast safely, just as security controls let organizations take calculated risks rather than reckless ones.
- Individuals (and organizations) have different risk tolerances—some prefer slower, safer options while others accept higher risk for speed or convenience.
- Security decisions must start with an assessment of that risk tolerance, shaping how aggressively you protect assets.
- A risk‑averse organization may deploy multiple firewalls and separate network zones (web, app, database) to add layers of protection, whereas a less‑averse one might rely on a single perimeter firewall.
- Aligning risk analysis with zero‑trust design ensures the chosen controls match the organization’s willingness to accept risk.
Full Transcript
# Brakes, Risk Tolerance, and Zero Trust **Source:** [https://www.youtube.com/watch?v=xt_Cdtvjbd4](https://www.youtube.com/watch?v=xt_Cdtvjbd4) **Duration:** 00:04:28 ## Summary - Brakes let you drive fast safely, just as security controls let organizations take calculated risks rather than reckless ones. - Individuals (and organizations) have different risk tolerances—some prefer slower, safer options while others accept higher risk for speed or convenience. - Security decisions must start with an assessment of that risk tolerance, shaping how aggressively you protect assets. - A risk‑averse organization may deploy multiple firewalls and separate network zones (web, app, database) to add layers of protection, whereas a less‑averse one might rely on a single perimeter firewall. - Aligning risk analysis with zero‑trust design ensures the chosen controls match the organization’s willingness to accept risk. ## Sections - [00:00:00](https://www.youtube.com/watch?v=xt_Cdtvjbd4&t=0s) **Brakes as Metaphor for Risk** - Jeff Croom likens vehicle brakes to risk controls, explaining that they enable calculated risk‑taking and using this analogy to illustrate how personal and organizational risk tolerances should guide zero‑trust decisions. ## Full Transcript
hi I'm Jeff Croom I'm an IBM
distinguished engineer and in a previous
video I talked to you about zero trust
and I concluded with the notion that
risk analysis should inform our zero
trust decisions
so to extend that let's think about a
thought question why do you put brakes
on a car seems like an obvious enough
question everyone says so you can stop
let me suggest to you it's so that you
can go really fast
and if you don't believe me then think
about how fast you'd be willing to drive
a car that had no brakes
the answer is you wouldn't you wouldn't
even get in the thing so why what do
brakes do for us they allow us to take
calculated risk as opposed to a wild
uncalculated risk so they're the thing
that allow us to control our risk now
let's think about that and apply that to
organizations and individuals and how we
perceive risk
for instance some people when it comes
to travel will say you know what I I
don't like getting in airplanes I'm
going to take a train everywhere I go if
it takes me four days to get from
Chicago to San Diego and four days back
that's what I want to do because that's
my tolerance for risk someone else like
me doesn't mind flying four million
miles in the air okay so I'll I'm
willing to get in the plane but what I
won't do and where I draw the line is
getting out of the plane before it's on
the ground
in that case I'm going to say I'm in the
middle on the risk tolerance but then
some people are willing to say you know
what with a parachute I can get out of
this perfectly good airplane and I don't
have to wait for it to come down to the
ground three different tolerances for
risk three different risk profiles now
what does that have to do with this
subject well organizations are the same
way you could take a bank and it might
be very risk averse or another bank in
the same industry might be much more
tolerant to risk so when we're making
our security decisions we have to
consider what is our tolerance for risk
to begin with
so to illustrate that what would it look
like as an example well if we have for
instance here's a user who is going to
hit our web server
and a more risk tolerant organization
might say I'm going to put a firewall in
front so that I have some level of
protection good enough job done
now another organization might look at
the very same set of of issues the
things that we're trying to do and might
say no I'd like a little more protection
I'm going to put my web server here but
I'm going to make a separation between
the web server and the data the database
in particular so that I can add another
layer of security another firewall a
second firewall so that now if there's a
bad guy trying to get in he has to
Traverse two security zones in order to
get there more protection more averse to
risk
however some organizations like the
train guy are going to look at this even
more risk-averse and they're going to
say what I want to do is even more
separation I'll put my web server here
an application server behind it
and separate the data from the
application so now I have a path that
looks like this
now I have a traditional DMZ for the web
server that's just the presentation
Services the application itself is
protected from the web server and the
data is separated from all of it
so which one of these is the right
answer well it all depends it depends on
a lot of things it depends on your
tolerance for risk your organization's
tolerance is your organization a train a
plane or a parachute
it also depends on cost if this is too
expensive or the type of data that I'm
trying to protect isn't worth that level
of protection then I would scale back to
one of these others
so there's a lot of considerations that
go into this and if you want more help
we have some resources linked down below
where you can see IBM can help in
guiding these decisions
thanks for watching please remember to
like this video And subscribe to this
channel so we can continue to bring you
content that matters to you