Risk Management Redux
Earlier this week, Mike Rothman [link to http://securityincite.com/blog/mike-rothman/the-daily-incite-october-23-2006#TBP3 no longer works] took a swipe at Alex Hutton’s What Risk Management Isn’t [link to http://riskmanagementinsight.com/riskanalysis/?p=34 no longer works] by saying:
But I can’t imagine how you get all of the “analysts and engineers to regularly/constantly consider likelihood and impact.” Personally, I want my firewall guy managing the firewall. As CSO, my job is to make sure that firewall is protecting the right stuff. To me and maybe I’m being naive and keeping the proletariat down, but risk management is a MANAGEMENT discipline, and should be done by MANAGERS.
I have to disagree here. Risk management in the end is the responsibility of management and as such the final decision belongs to them. But how can I as a manager make the right decision and know that a firewall is protecting the right stuff, if my team isn’t well educated on what the risks are? How am I supposed to make the right decisions if don’t know what the issues are? I need to have a staff of analysts, architects and engineers that I can trust to be regularly analyzing and evaluating the systems, applications and networks, so I can make the right choices or recommendations. I don’t need someone who blindly follows a help desk ticket. I don’t know a single CSO who wants to be micromanaging those sorts of decisions.
I kind of like the perverse incentives that an in-house prediction market would create…
“If you don’t install that foosball table, the database server is gonna get pwned! You wouldn’t get the technical details, but believe me — I’ve seen it before.”
Arthur,
What about common language? In your experience, have you had much frustration with people mixing threat, vulnerability, risk, etc…?