Q

Should all members of a security staff be involved in the risk assessment process?

In this SearchSecurity.com Q&A, security management expert Mike Rothman discusses risk assessment for an enterprise, and explains how all members of the senior security staff should be involved in the process.

Who should be involved in assessing risks for an organization? Should certain groups have more or less input than others?
Risk is a business function, so ultimately the CEO needs to understand the risks to the business and either accept them, eliminate them, or assign the risk to someone else (sort of like re-insurance). The senior security staff of the organization is responsible for presenting potential risks and determining the best way to handle them. Ultimately the senior executives (including the CEO) will need to make the final decision as to how to deal with that risk.

It's important to understand what risk is before beginning the assessment process. A risk is any threat to your organization that is economically quantifiable. You need to be able to substantiate risk in dollars, i.e., lost dollars should risk become reality.

Business executives must consider many risks: risks from their suppliers, which affect product production; execution risks, which involves the ability to execute a plan; and market risks, which involves market availability. The operations with the biggest risks should have the most input – it's simple economics.

If we are talking about security risk, then the chief security officer (CSO) has the responsibility (and accountability) of understanding all the risks to the business and presenting those security risks in the language of business. They work with the network group, the data center folks, the application developers and the business units to understand what is important and how it should be protected.

Spending a lot of time trying to quantify the exact risk and putting detailed business cases together before buying security products is a waste of time. Ultimately, understanding the aftermath and contemplating the probability of a system failure is what's truly imperative. This is practical advice, but it is based largely on gut feelings and experience, which is often hard for many business people to understand.

For more information:

  • Use this report card to measure your disaster recovery plan and identify areas that need improvement.
  • Identity management and access control expert Joel Dubin examines how risk-based authentication methods differ from static authentication methods.
  • This was first published in July 2007
    This Content Component encountered an error

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close