One thing that we all agree on is the broad and ever-changing threat landscape we constantly contend with, and the security related risks such threats bring with them. However, one aspect that divides the community is how security risk should be viewed through a business lens.
When I started out in security, I remember meticulously identifying security controls, testing their effectiveness and recommending additional controls where gaps appeared to exist. I remember battling with teams to prioritise making modifications to improve controls that would reduce the likelihood of a security risk eventuating.
Security is the Most Important Thing...Isn’t It?
Today, with a better understanding of risk and its place within an organisation, I have come to appreciate that for some businesses, the loss of availability of their systems and applications, or access to data by an unauthorised entity may not have the devastating impact I once thought.
The realisation I have reached, was that there is no type of risk that is more important than any other. It is the level of the risk, and its relative impacts to the business that is key. Having come to this realisation, it became clear to me, that as security professionals our foremost obligation is to unemotionally present risk in business terms, and to consider controls and control strengths in that context.
Lessons Learned in Recognizing Risks
- Security risk is just another business risk with business consequences.
- The size/impact of a risk is evaluated in the context of overall business strategy and objectives (think risk tolerance + risk appetite).
- Let the business leaders do what they do best - lead the business.
To do this successfully, it is critical that security professionals make a concerted effort to understand the overall nature and strategy of the business, and how security ties into that.
Only armed with this knowledge does it become possible to see that the remediation of a critical vulnerability may not be the top priority.
For example, the vulnerability may not represent a high risk, or the cost to remediate it may outweigh the effective cost of impact.
Although this may be difficult, ultimately this is what we must understand, and therefore accept as security professionals when fulfilling our obligation to inform the business appropriately.
In the end, it is about driving successful outcomes for the business and as security professionals our obligation is to be enablers for this success.
What's Does Security Look Like through the Future Lens?
Naturally, we must help the business understand when to exercise caution and equally when there is less need to.
Ultimately risk management is a partnership whereby the business understands the risk consequences and the security professional the likelihood determined by threat, implemented controls and controls strength.
Achieving this balance will result in overall better outcomes.
Chris is an innovative and business focussed senior security and risk manager with over 15 years’ experience of managing positive outcomes for large iconic brands and government entities.
Chris has a proven track record in translating executive and senior management strategic goals and business objectives into practical secure solutions utilising extensive knowledge in security and risk mitigation strategies.
Chris is an engaging and inclusive leader with a strong focus on developing and managing global teams that deliver customer focussed service whilst guiding diverse stakeholders to achieve organisational goals.
When not talking about security or risk, Chris can be found around the golf course, travelling or watching his beloved Sydney Swans AFL team.