Spread the risk of making risk decisions

Someone has to decide where to put limited risk mitigation resources, but it shouldn't be you.

There's no way to prepare for every possible computer security disaster, and determining the right level of protection vis-a-vis the need for operational efficiency is a complex calculation. Quantifying risk and determining the appropriate level of resources to mitigate it should be the job of senior business managers, not IT, writes Robert A. Grimes at InfoWorld.

While it is IT's job to estimate the probability of potential threats and the costs of protecting against them, it is the job of senior management to establish the company's threshold for risk, Grimes writes. It doesn't help the IT team to present doomsday scenarios because management eventually will begin to overlook the risk to operations and view IT as an impediment to efficiency.  Instead, make the business managers come up with their own risk priorities.

"If a hack attack stopped a certain part of the business from functioning, how disastrous would it be? Force the business to make those assessments, and with that hierarchy of concerns, you can map the most critical parts of the business to the most critical parts of your infrastructure," he writes.

Once management has established what it considers the "crown jewels" in the company, focus security resources on those assets and the infrastructure that supports them.

For more:
- see Robert A. Grimes' post at InfoWorld

Related Articles:
The futility of risk management in the world of IT
Making users manage their own risk
Sophisticated tools needed to manage today's risks