• United States



by Lloyed Gauntlett Hession

Presenting Risks to Executives

Jun 10, 20031 min
CSO and CISOData and Information Security

The key is to present risk as a business decision requiring action. You will probably do more harm than good in attempting to frighten a budget out of senior management by pointing to all the dire consequences associated with a particular risk. Instead, using knowledge, experience, published statistics and even some guesswork, provide management with an assessment of the magnitude of the risk and a menu of options for solving the problem. The menu should include the cost and “residual risk” of each mitigation strategy. Residual risk is simply the risk left over once you’ve implemented your solution.

It is up to management to determine exactly how much risk the company can afford to accept. It may very well be the case that senior management is comfortable with a $100,000 exposure. The security expert provides value with his analysis because it reduces the problem to the type of business decision that management is used to making every day.

The job of the security team is to enable intelligent corporate decisions regarding security. Business is a series of trade-offs, and presenting risk in terms of those trade-offs demystifies security decisions and results in a cost-effective set of controls.