Home > Ask the Security Experts > Expert Archive: Security Management Questions & Answers > Should all members of a security staff be involved in the risk assessment process?
Ask The Security Expert: Questions & Answers
EMAIL THIS

Should all members of a security staff be involved in the risk assessment process?

Mike Rothman, past SearchSecurity.com expert EXPERT RESPONSE FROM: Mike Rothman, past SearchSecurity.com expert

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 22 May 2007
Who should be involved in assessing risks for an organization? Should certain groups have more or less input than others?

>
Risk is a business function, so ultimately the CEO needs to understand the risks to the business and either accept them, eliminate them, or assign the risk to someone else (sort of like re-insurance). The senior security staff of the organization is responsible for presenting potential risks and determining the best way to handle them. Ultimately the senior executives (including the CEO) will need to make the final decision as to how to deal with that risk.

It's important to understand what risk is before beginning the assessment process. A risk is any threat to your organization that is economically quantifiable. You need to be able to substantiate risk in dollars, i.e., lost dollars should risk become reality.

Business executives must consider many risks: risks from their suppliers, which affect product production; execution risks, which involves the ability to execute a plan; and market risks, which involves market availability. The operations with the biggest risks should have the most input – it's simple economics.

If we are talking about security risk, then the chief security officer (CSO) has the responsibility (and accountability) of understanding all the risks to the business and presenting those security risks in the language of business. They work with the network group, the data center folks, the application developers and the business units to understand what is important and how it should be protected.

Spending a lot of time trying to quantify the exact risk and putting detailed business cases together before buying security products is a waste of time. Ultimately, understanding the aftermath and contemplating the probability of a system failure is what's truly imperative. This is practical advice, but it is based largely on gut feelings and experience, which is often hard for many business people to understand.

For more information:

  • Use this report card to measure your disaster recovery plan and identify areas that need improvement.
  • Identity management and access control expert Joel Dubin examines how risk-based authentication methods differ from static authentication methods.


    • BROWSE BY TAG
    Expert Archive: Security Management,   Enterprise Risk Management: Metrics and Assessments,   Information Security Management,   VIEW ALL TAGS

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



    RELATED CONTENT
    Expert Archive: Security Management
    What is the GISP certification and how does it compare to the CISSP certification?
    Using a QSA to write up a PCI DSS report on compliance (ROC)
    How can gap analysis be applied to the security SDLC?
    Comparing cheap security products and appliances to costly appliances
    What are some tips on protecting my security budget in a poor economy?
    What value do research firms provide to their subscribing enterprises?
    What certificate offers the best ROI for an IT project manager?
    Is insider activity or outsider activity a bigger enterprise threat?
    How does information security prevent fraud in the enterprise?
    Differences between an SAS 70 data center and a Tier III data center

    Enterprise Risk Management: Metrics and Assessments
    How to avoid Internet liability lawsuits
    Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way
    Bernie Rominski: Communicate Effectively with Management about Risk
    Best Policy and Risk Management Products
    Monitoring program data and internal controls for risk management
    Risk management strategy for an information technology solution provider
    Align your data protection efforts with GRC
    The basics of enterprise GRC project management
    RSA council addresses growing security risks in the cloud
    How to write a risk methodology that blends business, security needs
    Enterprise Risk Management: Metrics and Assessments Research

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts