As promised, I have more thoughts explaining my "laws of risk management". Here comes the second post of three on risk management at the CSO level of thinking. These posts are organized around my "laws of risk management".
The first post dealt with the reality that risk managed at the wrong level will lead to crisis. This post will deal with the reality that security controls and risk mitigation have to be aligned with the business.
The Second Law of Risk Management: Align Security Risk Management with the Business... aka Your "Risk Mitigation" Is Going To Hurt My Revenue!
Risk management has to be aligned with the needs of the business. Forgetting to take into account business and drivers is a fairly straightforward way for one of two things to happen.
Either your risk management activities will stifle the business in some fashion and result in anger, distrust, harm and perhaps you, the CSO, seeking a new job. Or, and perhaps worse, it will result in the business discarding and marginalizing the CSO and security risk management because you "just don't get it".
One of the most critical things that security practitioners tend to not get, to not understand, is that being part of the business means you contribute to the success of the business. Better information security, generally, is not considered contributing to the success of the business.
To contribute, you must provide value in either the top line or bottom line of revenue. That means you either make things more efficient and less costly and avoid unforecast operating expenses (bottom line) or you help generate new revenue (top line). You must show where you directly contribute to that if you want to be part of the business, not a tolerated outsider.
If you've identified a significant risk of data theft or loss and propose something that costs the company money, you had better show why the company should spend that money. Sometimes this is called Return on Investment (ROI).
Personally, I think ROI is a game the accountants created and that they privately call "make the business guy chase the pretty lights". ROI studies are all well and good, but honestly business leaders make decisions that are less well analyzed than all that.
If you can show that you will improve the bottom line somehow, you have a darn good shot at being aligned with the business with your wonderful risk mitigation idea. EVEN better is if you can show that the company could generate new revenue because of your wonderful idea. If you can't show either, then you are an expense. And expenses must be managed, controlled and made as small as possible in order to maximize profit.
So, no matter how wonderful your idea, you need to figure out more than just here's my great new idea. Because it is likely that the business guy involved in the discussion is going to poke holes in it because it makes his employees less efficient, his IT systems more costly, his compliance and training requirements greater. If you do that, you are not aligned with the business and your risk mitigation plan is never going anywhere but file 13.
Cross-posted from Security, Cigars & FUD