"My name is Sherlock Holmes. It is my business to know what other people don't know." - Sir Arthur Conan Doyle.

A few years ago, mum was taken to hospital after experiencing severe pain, after months of checkups, the doctors let us know that they had found and removed a few growths that showed to be precancerous. This type of cancer doesn’t show notable symptoms until later stages; we got lucky.

What’s this got to do with Discovery and how can this help with preventing issues from happening in your organisation? Do you want to be able to systematically identify and prevent issues or trust your luck? Every investigation or security incident begins with a series of events / indicators. Unfortunately, no one is walking around with an obvious sign stating that they are:

• A criminal hiding in the corporate environment waiting for the perfect moment to conduct a malicious act

• A well meaning employee, but about to do something silly with a potentially terrible impact on the business

Many years ago, I was involved in a project for a client that began as a rather small investigation of four employees; there were alleged inappropriate facilitation payments. What began as a small investigation became a project that spanned the global across several years; the team had collected and processed terabytes of data by the time I got involved. The project cost the client millions in fees and regulatory fines.

Would the story be different if the risky behaviours conducted by the employees had been uncovered early? The client would not only have the opportunity to stop the activity, but also update their internal processes and procedures to better identify similar types of activity from occurring in future. It would also put the client in a much better position if they needed to answer questions from regulatory bodies, if those arose. This is just one example of how Discovery can help companies mitigate early, before a situation gets out of the organisation’s control.

Discovery isn’t about predicting the future, it is about using data collected by the organisation to find the organisation’s truth. Traditional controls and frameworks, whilst extremely important, are built on rules and knowns. This means any activity that does not meet these preset requirements will be missed. To really understand Discovery, you have to think like an investigator.

Discovery takes this idea and looks at the entire environment instead of the realm of a specific investigation. There is no known outcome, no known risk; whatever the outcome/s may be is purely data driven. There is always the potential for risks that no one has identified or considered. As organisations grow and become more complex, more of these are likely to exist. Complexity breeds risk.

Here is a rough process of what a Discovery investigation may look like:
Data driven Indicator => Add business context => Hypothesis => Draw additional data sources => Testing to prove/disprove hypothesis => Shortlist potential outcomes & implications => Recommendation for a solution => Acid Testing => Report Finding & Recommendation => Feedback loop / assess

Before the next post, I want you to think about situations where a crisis was averted because of a series of fortunate events. If you want to take the “luck” out of that situation, join me in the next post where I will take you through a couple of examples.

Until next time!

Skye

Disclaimer: All statements and comments are my own. They do not reflect the views of any past or present employers.