The Second Law of Risk Management

Monday, February 14, 2011

Healthcare CSO

D10dcc9a486fad27327de115a81f51d8

As promised, I have more thoughts explaining my "laws of risk management". Here comes the second post of three on risk management at the CSO level of thinking. These posts are organized around my "laws of risk management".

The first post dealt with the reality that risk managed at the wrong level will lead to crisis. This post will deal with the reality that security controls and risk mitigation have to be aligned with the business.

The Second Law of Risk Management: Align Security Risk Management with the Business... aka Your "Risk Mitigation" Is Going To Hurt My Revenue!

Risk management has to be aligned with the needs of the business. Forgetting to take into account business and drivers is a fairly straightforward way for one of two things to happen.

Either your risk management activities will stifle the business in some fashion and result in anger, distrust, harm and perhaps you, the CSO, seeking a new job. Or, and perhaps worse, it will result in the business discarding and marginalizing the CSO and security risk management because you "just don't get it".

One of the most critical things that security practitioners tend to not get, to not understand, is that being part of the business means you contribute to the success of the business. Better information security, generally, is not considered contributing to the success of the business.

To contribute, you must provide value in either the top line or bottom line of revenue. That means you either make things more efficient and less costly and avoid unforecast operating expenses (bottom line) or you help generate new revenue (top line). You must show where you directly contribute to that if you want to be part of the business, not a tolerated outsider.

If you've identified a significant risk of data theft or loss and propose something that costs the company money, you had better show why the company should spend that money. Sometimes this is called Return on Investment (ROI).

Personally, I think ROI is a game the accountants created and that they privately call "make the business guy chase the pretty lights". ROI studies are all well and good, but honestly business leaders make decisions that are less well analyzed than all that.

If you can show that you will improve the bottom line somehow, you have a darn good shot at being aligned with the business with your wonderful risk mitigation idea. EVEN better is if you can show that the company could generate new revenue because of your wonderful idea. If you can't show either, then you are an expense. And expenses must be managed, controlled and made as small as possible in order to maximize profit.

So, no matter how wonderful your idea, you need to figure out more than just here's my great new idea. Because it is likely that the business guy involved in the discussion is going to poke holes in it because it makes his employees less efficient, his IT systems more costly, his compliance and training requirements greater. If you do that, you are not aligned with the business and your risk mitigation plan is never going anywhere but file 13.

Cross-posted from Security, Cigars & FUD

Possibly Related Articles:
4732
Enterprise Security
Policy Enterprise Security Risk Management ROI Business
Post Rating I Like this!
0b8d1c9dc5f4a80e6646d8d18b8683fe
Ben Keeley 'One of the most critical things that security practitioners tend to not get, to not understand, is that being part of the business means you contribute to the success of the business. Better information security, generally, is not considered contributing to the success of the business.

To contribute, you must provide value in either the top line or bottom line of revenue. That means you either make things more efficient and less costly and avoid unforecast operating expenses (bottom line) or you help generate new revenue (top line). You must show where you directly contribute to that if you want to be part of the business, not a tolerated outsider.'

A question I'd ask is do business managers appreciate the real financial impact of successfully exploited vulnerabilities (fines, loss of business etc), do they even have an appetite to discuss such things? (I have my own opinion here). As much as the 'security guy' needs to be able to understand the business, doesn't the 'business guy' also need to think beyond this quarters revenue/sales targets?
1297764876
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.