Few organizations understand just how wide the gap can be between IT security risk and business risk.
While IT security risk management efforts focus on identifying threats to the IT infrastructure, business risk management is a much broader discipline encompassing the many and varied aspects of a business beyond IT, operational risk in areas like finance, procurement and business development.
"What happens is you have this adversarial or disjointed view of risk understanding," said Tony UcedaVelez, founder and managing partner with application security consultancy VerSprite. "Security practitioners need to understand the businesses they're defending."
In this video, UcedaVelez discusses the importance of translating IT security risk into business risk, and how to do so in a way that emphasizes the potential cost to the business. He also discusses why some IT security risks present more or less business risk than information security practitioners realize, and how to ensure an IT security risk assessment can be used to successfully articulate business risk.