I started my career in information security working as a computer virus researcher at Computer Associates on Long Island, New York, from 2000 to 2005. During that time, I had the privilege of being taught computing and operating system fundamentals from bona-fide white hat security engineers and systems architects. These specialists, unbeknownst to them, instilled in me many truths that still reverberate strongly in today’s modern hyper-digital-and-information-rich economy and businesses of technology. In my experience, as every organization grows larger in size and complexity, they converge towards experiencing the similar issues of not being able to properly assess risks, and consequently, not being able to properly achieve sound decision-making, at least not using any of the results and findings derived from their risk management programs.

And I’m not sure why… the good news, at least according to me, is that all organizations can adopt a set of guiding principles to realistically achieve sound decision-making by focusing their risk efforts on the governance and operationalization of their information-technology powered assets, namely, their people, process, and technologies.

Given the way business must get done in modern organizations, we don’t necessarily have to understand why all of this complexity and lack of understanding exists, rather, we simply should acknowledge that the technology and financial industries do and will continue to require all sizeable companies to document the programs and procedures of, and ultimately manage, their IT systems, if not control them, to an extent that those IT systems will be able to reliably operate and support and deliver a business service.

And for some reason (and again not knowing why), controlling systems and processes is an incredibly difficult thing to do for people and for companies of all shapes, sizes, and forms. Luckily, even in situations that require control, we don’t need to be stellar or even that good at controlling systems, we only need to understand how these systems, your assets, change over time in the face of increasing levels of work and stress. It is therefore imperative, it’s much more important to compare and contrast and assess your assets’ work performance, throughput, and capabilities, to other assets’, rather than leverage the apparent best practices of industry control frameworks and risk calculations and mitigation techniques.

At Plan B Risk Specialists, we will demonstrate how all of the above is true, and how an asset-based risk management program that supports and enhances organizational decision-making can be accomplished.

—————————————

As the founder of Plan B Risk, I was conferred a Bachelor of Science in Engineering degree with a major in Computer Science & Engineering from the University of Pennsylvania School of Engineering and Applied Science (SEAS).

I also was conferred a Master of Business Administration with a major in Finance from New York University Leonard N. Stern School of Business (Stern).

—————————————

While the truth may be disheartening, the IT Risk Management practices utilized by companies for the past 50 years or so have simply not helped those companies to reliably prevent IT problems and issues. This claim can be evidenced independently by the ever-growing number of system and software security vulnerabilities and the various cyber security and privacy unauthorized data disclosure breaches now so commonplace and reported widely across all forms of media and press over the past 25 years.

—————————————

All of this I’ve just said bothered me for many years. It troubled me since IT and security were my passions. So…

I extensively studied and researched technology management, knowledge management, innovation, and risk management at New York University’s Polytechnic Institute, and non-repudiation and cyber security systems at Pace University’s Seidenberg School of Computer Science and Information Systems, both as part of doctoral-level (Ph.D. and professional doctorate) programs.

15 years later, with the above knowledge in the public domain, still, IT and cyber security risk management, as a whole, continues unabated without any significant update to their primary risk methods… they continue to use probabilities and attack and threat landscapes and modeling and such to derive a risk severity rating.

Suffice to say, the above methods are provably impossible to ever be reliably useful… for something to be reliable, it must be able to be trusted, but to trust the risk results of modern organizations would be folly, as doing so would expose those organizations to ruin and the teams responsible for risk assessments and decision-making continue to do so. To trust modern risk programs is akin to a No-Limit Texas Hold’em poker player that goes All-In with his or her chips, pre-flop (which is before the flop of community cards), without ever looking at his two hole cards. The hole cards in this analogy are your assets. To assess the risk of winning or losing, we MUST look at our assets, we must look at our cards.

—————————————

What I have assembled at Plan B Risk Specialists is a simple, practical, valuable, provable and POWERFUL method to estimate risk across various assets and asset classes, initially tailored for IT and cyber security risk management — this method and solution, is a culmination of my academic and professional experiences having worked at over a dozen and different types of companies in technology, consulting, banking, financial services, luxury retail, higher education, e-commerce, SaaS, and insurance brokerages, with workforces spanning from 150 to 150,000 employees.

—————————————

If you’ve read this far, I implore you to explore the full Plan B Risk Training and Education Program or take the free courses or even the tests! (yes!)

Also available are downloadable materials — starter guides and spreadsheets — to transfer this base of knowledge and to spur other risk professionals to gain a better understanding of their most precious IT assets and systems (under their purview and control) and to help responsible teams mobilize their resources more appropriately, if not proportionally, to help those same assets become more secure, reliable, and trustworthy.

So… trust the knowledge. And the rest will come.

Richard Barilla

Plan B Risk Specialists, 2025