Security's job is not to remove risk. Our job is to ensure the right people understand their risks.
I'm amazed that in 2017 I still run across security professionals, purportedly experienced security professionals, who get personally offended when their CEO or organisation chooses to accept rather than mitigate a security risk.
As security practitioners our role is not to mitigate or remove all risk - a business without risk is not a business. Running a business, at least a successful one, is all about managing a wide range of risks. Our role is to ensure the right people in the business understand the security risks they face, what the realistic impact and likelihood of those risks are. If we've explained the risk and they chose to accept it, or only minimally mitigate it - that's fine, we have done our job and a duty to the organisation.
I work in healthcare - admittedly that's only been for a year and half - but this approach was made abundantly clear to me within weeks of starting in the industry.
The executives who run our hospitals manage a spectrum of risks I don't even pretend to understand - from clinical risks (how do we ensure surgeons don't operate on the wrong limb), to patient and staff safety risks (how to reduce the number of patients injured through falls). I'm not in a position to tell them that a security risk I'm concerned about is necessarily worse than any of the other risks they are managing. What I need to do is ensure they actually engage in the discussion and understand the risk I'm talking about - and then give them the information to weigh that risk against the variety of others on their radar.
If you find yourself telling an executive in your organisation that they MUST address a specific risk, ask yourself: Do I know all the other (non-security) risks she's managing? And do I have enough information to really say that my risk is actually the most important to be mitigated?
We will be more successful, and probably face less burnout, if we step back from thinking all problems must be addressed immediately and instead work with our organisations to understand the full risk exposure and help them understand where security risks fit in that picture.
I'm amazed that in 2017 I still run across security professionals, purportedly experienced security professionals, who get personally offended when their CEO or organisation chooses to accept rather than mitigate a security risk.
As security practitioners our role is not to mitigate or remove all risk - a business without risk is not a business. Running a business, at least a successful one, is all about managing a wide range of risks. Our role is to ensure the right people in the business understand the security risks they face, what the realistic impact and likelihood of those risks are. If we've explained the risk and they chose to accept it, or only minimally mitigate it - that's fine, we have done our job and a duty to the organisation.
I work in healthcare - admittedly that's only been for a year and half - but this approach was made abundantly clear to me within weeks of starting in the industry.
The executives who run our hospitals manage a spectrum of risks I don't even pretend to understand - from clinical risks (how do we ensure surgeons don't operate on the wrong limb), to patient and staff safety risks (how to reduce the number of patients injured through falls). I'm not in a position to tell them that a security risk I'm concerned about is necessarily worse than any of the other risks they are managing. What I need to do is ensure they actually engage in the discussion and understand the risk I'm talking about - and then give them the information to weigh that risk against the variety of others on their radar.
If you find yourself telling an executive in your organisation that they MUST address a specific risk, ask yourself: Do I know all the other (non-security) risks she's managing? And do I have enough information to really say that my risk is actually the most important to be mitigated?
We will be more successful, and probably face less burnout, if we step back from thinking all problems must be addressed immediately and instead work with our organisations to understand the full risk exposure and help them understand where security risks fit in that picture.
Comments
Post a Comment