Embracing risk management elevates security pros to business leaders. Why do they still find it so difficult?

The transition from an “it’s all about security and protecting the crown jewels” to “we need to mitigate risk and embrace risk management” is a crucial step next step for the information security profession.

Current Job Listings

A few weeks ago, I spoke at the 2018 SecTor Conference. The ensuing Q&A on the concept of risk soon evolved into a discussion on whether “risk” has become a four-letter word. The kind we’re taught to avoid using in polite company.

Many information security professionals are now embracing the word and concept of risk to elevate their responsibilities and budget requests for business and even board level consideration. The transition from an “it’s all about security and protecting the crown jewels” to “we need to mitigate risk and embrace risk management” is a crucial step next step for the information security profession. Despite the reality, some of us struggle with the word “risk”.

So why is there so much anxiety in infosec circles about this four-letter word?  

One reason may be that in many organizations, the mere mention of the word, or better, the concept of risk, conjures up concerns they may not want to know about, acknowledge, or want to sweep under the proverbial rug. This reaction may be related to the fact that the organization is unable to effectively manage risk. In these cases, the organization may not be aware of what risks and consequences they are facing, or they have clearly defined what risk means to them. This may be due to a lack of organizational maturity, including that of key personnel.

In some companies, discussions about risk may be few and far between — especially when the concept is just not a part of the organizational vernacular. This can be due to a lack of clear ownership for risk management activities or appropriate governance processes. These conditions are far more troubling for publicly traded companies, and especially those operating in regulated industries.

Risk management starts with senior management

Without effective leadership from executives, difficulties will arise due to a basic lack of information and understanding of roles and responsibilities. For example, uncovering new risks may lead to a lot of extra work. In some organizations, individuals responsible for carrying it out will not get credit, or may be penalized for the costs and delays incurred. Also, it may be determined that risk mitigation costs are too high, and would take away from previously funded projects.

To complicate matters, prevention is no longer the answer. Overall, organizations are having less success in stopping attacks now than ever before.  To adapt, a strong internal understanding of risk is needed, including what it means to the organization and how to successfully mitigate it. What’s critical for organizations to remember is that effectively responding to and managing a security incident is just as important as trying to prevent it in the first place.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.