Time for a Change in our Attitude Around Risk

Sunday, February 05, 2012

Norman Marks


Recently I read a piece in ComputerWeekly that made me cheer.

Risk and audit professionals, as a rule, have never seen an (adverse) risk* they didn’t want to stamp on and kill.

When is the last time you saw an audit report that said management had too many controls or was not taking sufficient risk? When did you last hear a risk officer urging planners to move into a new market more quickly?

The same thing applies to information security personnel, so I was pleased when I read an article on “How the CISO must evolve to balance risk and business”.

Here are some excerpts that appeal:

  • “Business success increasingly depends on the ability to balance the demands of cyber threats and regulatory compliance with innovation and growth.”
  • “...communicate with the board and managers in various parts of the business;… run security as a business;… eliminate redundant controls; and… work with the business to enable innovation and growth”.
  • “More specifically, the CISO needs to evolve from an isolated subject matter expert and analyst to a trusted advisor on how technology can improve business; to an integrated business thinker, facilitator, leader, evangelist and educator.”
  • “The CISO must move from being a technical risk expert who focuses on the risk of loss, to include risk as a more central part of the role by understanding business priorities while continuing to maintain the corporate moral fibre [sic].”
  • “This involves taking risks to meet business objectives, but this can only be done successfully with a thorough understanding of the risk appetite of the business involved.”
  • “…identify where the business is missing opportunities – either by being too risk-averse or through worrying too much about risks that were a real threat once, but can now be mitigated with relative ease.”

It’s this balance in thinking about risk, that if you don’t take risk the business will fail, that is missing for too many audit, risk, and security professionals.

I don’t believe it is acceptable to take the attitude that “our job is to identify a risk; it is management’s job to determine what to do about it”, and then complain when management decides to accept the risk.

Let’s take a risk and accept that some risks should be allowed to live.

*I define risk as the effect of uncertainty on objectives (ISO 31000:2009)

Possibly Related Articles:
Information Security
Enterprise Security Management Risk Management Cyber Security Security Audits CISO Information Security Infosec Policies and Procedures Risk Appetite Enterprise Risk Management Norman Marks
Post Rating I Like this!
Neira Jones Hello Norman,
I'm glad you liked what I said in that article. For the full post, see http://neirajones.blogspot.com/2012/01/rise-of-new-ciso-risk-management-vs.html?spref=tw
Kind regards,
Hedge Hog "I don’t believe it is acceptable to take the attitude that 'our job is to identify a risk; it is management’s job to determine what to do about it', and then complain when management decides to accept the risk."

I agree. Too often the CISOs are second class citizens within the management structure, or actually prefer not to assimilate. Either way, changing those attitudes would help this situation a lot.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.