To Risk or Not To Risk is definitely the right question, but unfortunately it is not being asked in many cases. Instead, what is being asked is To Spend or Not To Spend?
This can be a dangerous practice. The reason is that generally when you say “No” to a security proposal, you say “Yes” to accepting risk. Here is a somewhat shocking discovery made when my company recently reviewed the proposal history of a dozen organizations:
- Business managers were unknowingly accepting security risks by saying “No” to security proposals, based upon budgetary considerations.
- It was within their authority to say “No” to the financial expenditure.
- It was not within their authority to accept the risk!
Don’t be too quick to blame the managers. What could they do if the security practitioners failed to identify the risks in their proposals? Themanagers were not security experts, so how could they even guess?
Our review also revealed a very positive discovery. The managers who said “No” to the proposals didn’t have the authority to accept the risk. So we looked higher in the organization. Here is what we found:
When we located the person with the authority to accept the risk, this executive also had the means to obtain funding for risk mitigation if the risk was serious enough to not be acceptable to the organization.
This works out for most organizations. The executives who are charged with managing operations at a certain level, are also provided with the means to carry out their responsibilities. Those responsibilities include the protection of the assets within their care. (After all they aren’t Security’s assets, they are corporate assets and thus are the responsibility of corporate management.)
Thus for the security practitioner, addressing risk factors properly involves understanding the organizationand the positions and responsibilities ofthe people who manage it. This is part of integrating security with the business. In almost every case our experience has shown:
Once business managers understand the security risks, they become Security’s ally in addressing the risks.
In each case it was easier than expected to obtain needed approvals and support.
Best regards,
Ray Bernard
P.S. There is no additional link to follow for this issue of The Security Minute. This story was able to be told in about a minute!
To Risk or Not to Risk: That is the Question
To Risk or Not To Risk is definitely the right question, but unfortunately it is not being asked in many cases. Instead, what is being asked is To Spend or Not To Spend?
This can be a dangerous practice. The reason is that generally when you say “No” to a security proposal, you say “Yes” to accepting risk. Here is a somewhat shocking discovery made when my company recently reviewed the proposal history of a dozen organizations:
Don’t be too quick to blame the managers. What could they do if the security practitioners failed to identify the risks in their proposals? Themanagers were not security experts, so how could they even guess?
Our review also revealed a very positive discovery. The managers who said “No” to the proposals didn’t have the authority to accept the risk. So we looked higher in the organization. Here is what we found:
This works out for most organizations. The executives who are charged with managing operations at a certain level, are also provided with the means to carry out their responsibilities. Those responsibilities include the protection of the assets within their care. (After all they aren’t Security’s assets, they are corporate assets and thus are the responsibility of corporate management.)
Thus for the security practitioner, addressing risk factors properly involves understanding the organizationand the positions and responsibilities ofthe people who manage it. This is part of integrating security with the business. In almost every case our experience has shown:
In each case it was easier than expected to obtain needed approvals and support.
Best regards,
Ray Bernard
P.S. There is no additional link to follow for this issue of The Security Minute. This story was able to be told in about a minute!