Being in security is a risky business

Being in security is risky

Imagine working somewhere everything you do doesn't solve the underlying problem. Why?

Because you can't solve security.

Security isn't an end state, it's something we have to move towards but the realm of possible attack vectors expand as we're remediating potential opportunities for attacks.

Why being in security is risky then? Think about it.

You can't solve it. You can show progress but reducing the likelihood and impact of something is an equation you come up with. Executives trust you (hopefully) but can't accurately verify the security maturity.

They can't because they don't have the credentials but also because security's business value is two-fold:

• We can share with stakeholders and customers our commitment to improving security and protecting customer data -> Marketing/Assurance/Trust
• We invest in people, processes and technology to reduce the likelihood and/or impact of future incidents -> Risk Management

Security is all about risk

If you look at the two fundamental business drivers for security, Risk Management is literally half of it (if you take on my definition).

How much, where, when and some of the how are determined with Risk Management.

Everything internally facing, all of the key decisions for your Information Security program are underpinned by Risk Management.

All of this work should help the business with answering the following:

• What has the highest impact if we do something now?
• What would probably not amount to much improvement in our current security posture?
• Which risks are too much work to mitigate now, but should be long-term priorities?
• How much does it cost to mitigate the top 3 and transfer number 4?
• Why are you wearing a suit? We're a start-up.

The business sets the risk needle, you deal with it

This is cool and all but...you don't really accept which risk are worth taking.

Enter the risk needle.

A risk needle is the level of risk acceptable (also called appetite or tolerance) by your business at any point in time.

You know the risks, you know the crown jewels, you know the holes we currently have, you should set the risk needle right?

Wrong.

The business cares about staying in business and winning new business. He doesn't care about managing risks if they don't align with these two objectives.

The issue is, they choose if they align or not. They have access to a wealth of information you're often not privy to, meaning their decisions are ultimately underpinning by the greater good of the company which might not comply with good security practices sometimes (always?)

In the end, hopefully, they'll own the risks (the business) anyway so your role should end there, or does it?

Risk managers, risk advisors and sometimes risk owners too

GRC have a very complex role in risk management.

They often centralise where risks are recorded and formally managed from (risk register).

They are also risk advisors, meaning the business would look for their expertise and input regarding what should be accepted/mitigated/transferred/avoided/etc.

In a lot of SMB, GRC also end up owning the risk. This is the case because if you are the only one actually performing risk activities, no one else would bother. "If you know and manage those risks that well, why don't you own them then?"

Our drive to do the right thing for the company often leads us to overcommit and to literally risk our jobs.

Risky conclusion

Your company wants to accept the maximum amount of risk possible without undermining any macro-objectives regarding staying in business and winning new business.

There, you have it!

Kind regards,