Information security officers need to sharpen their risk management skills


This article can also be found in the Premium Editorial Download "Information Security magazine: Comparing seven top integrated endpoint security suites."

Download it now to read this article plus other related content.

For the last few years, we've heard CISOs need to improve their business skills. But many of today's security managers are lacking another critical discipline: risk management. As compliance initiatives become more ingrained in our business culture, and security is playing a role in most IT disciplines, there is a need for an internal "trusted adviser" who is able to translate the nuances of IT initiatives into real risk metrics. For example, security controls have traditionally been knee-jerk purchases or based solely on technical opinions and interest. Security management needs a more viable rationale for secu- rity design and implementation, as well as a more consistent framework for influencing business decisions and explaining why security is integral to business strategy.

A good friend who is a CISO explains the situation well. In his view, a CISO should really be called a CRO--chief risk officer--or report to one, and a major element of the position should be policy management--establishing guidelines and policies that adequately capture the organization's risk tolerance, and then working with operational management to ensure the policies are adhered to. The security profession talks a lot about policy these days, but we tend to omit that critical detailed risk analysis factor. Unless today's CISOs learn this important discipline and become adept at articulating

    Requires Free Membership to View

it to senior management, the role of a CISO as we know it may very well become extinct.

This was first published in November 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: