• United States



“IT Risk” does not exist.

Dec 26, 20082 mins
Business ContinuityCareersData and Information Security

Yes, ladies and gentlemen, according to the Institute of Internal Auditors(IIA), “there is no such thing as ‘IT Risk'”.  There are those, however, who define the risk landscape solely from a technical perspective.  After closing a semester of teaching web application security, I wanted to share my observations and concerns regarding the understanding of “risk” among the next generation of security professionals.

Most of the 11 students in the class had technical backgrounds.  The balance received prior technical training on Cisco and Microsoft.  Their focus on technical security controls became evident within the first two weeks.  Given the nature of the material, I created a business scenario to frame my discussion of secure software development.  The class reaction was revealing.

While the students appreciated a perspective of how the technical controls were used in a business environment, discussion of risk issues consistently focused on those controls.  For most of the students, the business was of little import.  As the class progressed, I was able to persuade all but two of the students of the critical role the business driver play.  These student held to their conviction that a secure infrastructure is all that is required and that the business should give technical personnel more authority in driving policy concerns.

As an auditor, I evaluate technical controls that are associated with a business risk.  To do the opposite invites chaos and poor audit results.  However, my experience as an instructor gives me cause to consider that some security professional will enter the market with a control-centric definition of risk.

I pose a question to my readers —  in what ways have you encountered this perspective in your roles?  What have been the implications of this view?  What has been done to address it?


Steven F. Fox provides security guidance to ensure compliance with Federal standards and requirements as a Senior Security Architecture and Engineering Advisor for the IRS. Fox contributes to multiple working groups including the IPv6 transition team, Developer Security Testing workgroup and the Security and Privacy workgroup. He brings a cross-disciplinary perspective to the practice of information security; combining his experience as a security consultant, an IT Auditor and a systems engineer with principles from behavioral/organizational psychology to address security challenges. He is a syndicated blogger covering IT Governance, Risk Management and IT-Business fusion topics. He also volunteers his time to the Ponemon Institute and Security BSides Detroit. Follow him on Twitter - Join his LinkedIn network -