“IT Risk” does not exist.

Yes, ladies and gentlemen, according to the Institute of Internal Auditors(IIA), “there is no such thing as ‘IT Risk'”.  There are those, however, who define the risk landscape solely from a technical perspective.  After closing a semester of teaching web application security, I wanted to share my observations and concerns regarding the understanding of “risk” among the next generation of security professionals.

Most of the 11 students in the class had technical backgrounds.  The balance received prior technical training on Cisco and Microsoft.  Their focus on technical security controls became evident within the first two weeks.  Given the nature of the material, I created a business scenario to frame my discussion of secure software development.  The class reaction was revealing.

While the students appreciated a perspective of how the technical controls were used in a business environment, discussion of risk issues consistently focused on those controls.  For most of the students, the business was of little import.  As the class progressed, I was able to persuade all but two of the students of the critical role the business driver play.  These student held to their conviction that a secure infrastructure is all that is required and that the business should give technical personnel more authority in driving policy concerns.

As an auditor, I evaluate technical controls that are associated with a business risk.  To do the opposite invites chaos and poor audit results.  However, my experience as an instructor gives me cause to consider that some security professional will enter the market with a control-centric definition of risk.

I pose a question to my readers —  in what ways have you encountered this perspective in your roles?  What have been the implications of this view?  What has been done to address it?