This morning, I read a piece in ComputerWeekly that made me cheer.
Risk and audit professionals, as a rule, have never seen an (adverse) risk* they didn't want to stamp on and kill.
When is the last time you saw an audit report that said management had too many controls or was not taking sufficient risk? When did you last hear a risk officer urging planners to move into a new market more quickly?
The same thing applies to information security personnel, so I was pleased when I read an article on "How the CISO must evolve to balance risk and business."
Here are some excerpts that appeal:
"Business success increasingly depends on the ability to balance the demands of cyber threats and regulatory compliance with innovation and growth."
"... communicate with the board and managers in various parts of the business; … run security as a business; … eliminate redundant controls; and … work with the business to enable innovation and growth".
"More specifically, the CISO needs to evolve from an isolated subject matter expert and analyst to a trusted advisor on how technology can improve business; to an integrated business thinker, facilitator, leader, evangelist and educator."
"The CISO must move from being a technical risk expert who focuses on the risk of loss, to include risk as a more central part of the role by understanding business priorities while continuing to maintain the corporate moral fibre [sic]."
"This involves taking risks to meet business objectives, but this can only be done successfully with a thorough understanding of the risk appetite of the business involved."
"… identify where the business is missing opportunities — either by being too risk-averse or through worrying too much about risks that were a real threat once, but can now be mitigated with relative ease."
It's this balance in thinking about risk, that if you don't take risk the business will fail, that is missing for too many audit, risk, and security professionals.
I don't believe it is acceptable to take the attitude that "our job is to identify a risk; it is management's job to determine what to do about it," and then complain when management decides to accept the risk.
Let's take a risk and accept that some risks should be allowed to live.