It’s time to rethink risk – both how to operationalize it and how to define it. With all the incompatible views of risk from different stakeholders through an enterprise, it’s hardly surprising that so many organizations struggle to get beyond checklist security mentality.
Excerpt from: Rethinking risk
“Start with a listening tour: What (those other LOB executives) care about, what their business objectives are,” says J. Wolfgang Goerlich, advisory CISO of Duo Security. “You must interpret and explain security needs as business outcomes. Security can no longer be about avoiding the bad things. It must align to the business direction.”
Read the full article here: https://www.scmagazine.com/home/security-news/features/rethinking-cyber-risk/
Wolf’s Additional Thoughts
I’ve been vocal about my disillusionment over risk management. It has it’s place, to be sure. It was my starting point. And I gave a number of talks advocating risk management, say 2008-2015, including one for the Society of Information Risk Analysts (SIRA). Risk management techniques are excellent at prioritizing efforts within the security function. But having built programs around risk management, I’ve realized the limitations.
People don’t think in terms of risk. Risk treatment tables don’t resonate with our stakeholders. High or low is meaningless without context. People don’t get it.
People also don’t act on risk. Wendy Nather coined this “cheeseburger risk management,” a term which I love. People will eat cheeseburgers even though they know the risk. They’ll eat right up until they have a heart attack. Only then will people get serious about what they eat, and as evidence shows, that discipline only lasts for a short time.
Evan Schuman’s coverage of these difficulties is a great place to begin questioning where and how we use risk in cybersecurity. I’m continuing exploring alternatives to communicating with the business, getting buy-in, and driving action in my security principles design series.