Return to Agenda
  

Question: How do you, as a security executve or manager, decide what is "just enough" security?

Answer: You don't—management does.

"Just enough" security means reducing security risks to acceptable levels at an acceptable cost.

But it is not the job of the security executive to accept the risks or costs associated with the protection of business assets. That is the job of executive management, who are responsible to the business owners, whether they be stockholders of a publicly traded company or private owners.

It is the job of the security practitioner to present executive management with risk treatment options, so that management can make informed decisions.

It may be true that you may make risk management decisions every day on behalf of management, as delegated to you by management. However, somewhere in that decision-making chain of events, you should be able to trace each decision back to management responsibility and accountability. It is management who are are accountable to the business owners for the business, including its assets.

This is not just a matter of organizational hierarchy or management theory.

The additional fact is that the people responsible for the assets in their care—the security stakeholders—are often in the best position to make the risk vs. cost decisions. This is because they understand the potential effects of harmful impacts on the business assets they depend on (people, information, material, and critical business processes), and they are often also aware of vulnerabilities not always obvious to others. (You may already have seen this if you have had an active part in Business Continuity Planning.)

If the security risks to important assets are not acceptable to the managers who depends upon those assets, they can make the business case that justifies reasonable security expenditures.

It is generally the situation that the managers with the authority to accept a particular level of risk also have the ability to obtain the resources and approvals needed for risk mitigation. After all, the managers who are responsible for particular assets require the resources to manage and protect them.

Thus a sound risk treatment plan is developed with input from the management security stakeholders, who approve the plan and recommend it to senior management.

This is part of business-aligned security risk management. Approached properly, management is highly receptive to their security stakeholder role and to risk discussions. Why? Because they can delegate operational responsibility, but they can't delegate their accountability.

A bonus factor is that you don't have to "sell" your security program to management when they helped create it.

How do you start having risk conversations with managers? How do you enable your management security stakeholders (including senior management) to provide sound input to the risk evaluation process, and to make sound security risk decisions? This session addresses these questions.

This session builds on the following workshop preparation materials:

  • Leadership Material: Security Profession Profile
  • Worksheet: Business Alignment
  • Worksheet: "Talking Security" to Management and other Non-Practitioners

Session Leader: Ray Bernard, President, Ray Bernard Consulting Services




Copyright © 2008 RJB.
All Rights Reserved.