It's important to understand what risk is before beginning the assessment process. A risk is any threat to your organization that is economically quantifiable. You need to be able to substantiate risk in dollars, i.e., lost dollars should risk become reality.
Business executives must consider many risks: risks from their suppliers, which affect product production; execution risks, which involves the ability to execute a plan; and market risks, which involves market availability. The operations with the biggest risks should have the most input – it's simple economics.
If we are talking about security risk, then the chief security officer (CSO) has the responsibility (and accountability) of understanding all the risks to the business and presenting those security risks in the language of business. They work with the network group, the data center folks, the application developers and the business units to understand what is important and how it should be protected.
Spending a lot of time trying to quantify the exact risk and putting detailed business cases together before buying security products is a waste of time. Ultimately, understanding the aftermath and contemplating the probability of a system failure is what's truly imperative. This is practical advice, but it is based largely on gut feelings and experience, which is often hard for many business people to understand.
For more information:
Dig deeper on Enterprise Risk Management: Metrics and Assessments
Related Q&A from Mike Rothman, Contributor
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ...continue reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ...continue reading
When developing software securely, what role does gap analysis play? In this security management expert response, learn how to implement gap analysis...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.