Be a business believer

The question is, do we follow, or do we retreat to our office? Ending our work responsibilities with risk assessment and not following up with the business unit is a classic mistake many security professionals have made — myself included.  The team collaborated on the assessment, understood the reasons why a certain project was important, identified the risks and then reported the findings to senior management. After the final management meeting, we head into the next project, believing our job is complete.

But we forgot to track how the business will manage the risk.  Risk management theory provides four recognized approaches to managing risk: avoid, transfer, reduce and retain.  These approaches recognize each risk as unique, and the approach an organization takes with one risk may differ to the next.  

Managing risks at a corporate level also requires an intricate knowledge of the risk appetite for the organization, and a realization there also are positive benefits.  Not every risk is negative — that’s the reward part of the risk/reward equation most business leaders follow.

As security professionals, we need to know how the organization plans to address the risks we so diligently documented.  Will they avoid the risky business proposition altogether, or retain (accept) the risk and continue?  Did they take out additional insurance to transfer the risk to a third party, or will they work with you or another operational team to reduce the risks facing the organization?

Good risk management includes following the “lifecycle” of risks.  It’s important to identify and report on risks, but it’s also important to understand how risks are treated in your organization.  The data we collect on the treatment of risks can be just as helpful as understanding the risks and their potential impact.

If your organization decides to reduce the risk because their tolerance level is low, you have a great chance to demonstrate thought leadership by looking at the risk as an opportunity to assess existing controls, or develop creative approaches with current technologies and procedures.  I’ve personally used existing technology for a few “undocumented” procedures and was pleasantly surprised to find new ways to reduce risks.  

Should your organization continue with their current approach (retain the risk), you should still be aware of this decision and document it.  The goal of this approach is not to cover your professional butt, but to ensure business units are aware of their responsibility toward the risk and the impacts it may have on the organization.  As a security professional, you should also take this opportunity to look at any “Plan Bs” you may have, just in case.

Avoiding risk is the perfect scenario for a security professional, but the most unlikely for business leaders.  Risk is a fact of business life, and one that strong business leaders understand and embrace.  Security professionals historically avoid risk because of the potential harm it may bring to our organizations.  We’re slowly changing our opinions, but that will take time. And that timeframe is typically too slow for business units.

Documenting risks and the selection of risk treatments completes the lifecycle of risk management for a security professional.  Our goal isn’t to create a black book of bad decisions and poor choices but to ensure we keep supporting our organizations and realize that business decisions are made by business leaders.
 
Tim McCreight is the chief information security officer for the Government of Alberta (www.alberta.ca).