1439274_28537008[1]
February 19, 2014 | by admin
Is Taking Risk Worth The Money?

by Michael Nossaman

Do you ever feel like a character in a Geico commercial?

“A security risk assessment will help reduce the chance of loss.”

“Everybody knows that.”

“Well, did you know that many CEOs don’t think of risk that way?”

Security practitioners by and large know what risk assessment is and its value, and that in optimum form it has both quantitative and qualitative elements.  When it’s possible to gather hard data it has a quantitative foundation, and in every case it has subjective qualitative projections of probabilities and outcomes even though the latter may not be much more than educated guesses. Furthermore, a comprehensive risk assessment will cover every imaginable risk.  So why is there so much resistance to an assessment and the recommended mitigation?1439274_28537008[1]

It’s because CEOs have a different view of risk than that of security people; they’re more risk tolerant.

CEOs view risk through the prism of maximum return on investment.  That’s what they get paid to do and are under tremendous pressure to perform.  What’s most important to them is protecting the brand, sustaining operations, growth, and new business opportunities.  They accomplish those objectives using a playbook that includes new products and services, opening new markets, using new technology to improve efficiency and productivity, and cost-cutting.  Each of those plays has inherent risk.

As a result, on balance, given the choice between a higher risk decision that will produce a higher ROI and one that has lower risk and ROI factor, today’s CEO will take the risk.   For a CEO, avoiding risk in a competitive environment can be the higher risk choice.

CEOs don’t care about understanding the technical aspects of security but they do consider risk; controlled risk.

One of the traps that security personnel are prone to is the tendency to go all in and try to mitigate every risk.  We’re trained and educated to do that.  That’s not a bad thing; it’s just a harder sell.

If we approach risk with a viewpoint similar to that of the CEO – the long-term goals and vision for the organization – we’re more likely to be successful in getting buy-in and support for the resources required to protect the assets most needed to achieve those objectives.

Risk Assessment: A Pillar of Security Planning; is a white paper by David Johnson and Gale Ericksen of ITG Consultants that offers both a quantitative rationale and a qualitative method to help the CEO and CSO align priorities that enables the CEO to pursue his ROI objectives and give the CSO the tools needed to make that possible.

That changes the conversation.

“Risk assessment will help us make more money.”

“Everybody knows that.”

 

Click here to download the ITG Risk Assessment White Paper

Click here for ITG Consultants

Michael Nossaman is founder of the SBC

Photo: Svilen Milev

 

Leave a Reply

— required *

— required *

Ask a Question or Contribute
Do you have a question or want to contribute your expertise to the SBC? Send your question, suggestion, or content to the SBC. Send Now!
Business Information
Here is where you will find the business information the SBC has compiled to help you successfully manage your business. Go get it.
Be sure to register for our email list for notification about articles and news.
Theme by Theme Flames, powered by Wordpress.
Skip to toolbar