by Michael Nossaman
Do you ever feel like a character in a Geico commercial?
“A security risk assessment will help reduce the chance of loss.”
“Everybody knows that.”
“Well, did you know that many CEOs don’t think of risk that way?”
Security practitioners by and large know what risk assessment is and its value, and that in optimum form it has both quantitative and qualitative elements. When it’s possible to gather hard data it has a quantitative foundation, and in every case it has subjective qualitative projections of probabilities and outcomes even though the latter may not be much more than educated guesses. Furthermore, a comprehensive risk assessment will cover every imaginable risk. So why is there so much resistance to an assessment and the recommended mitigation?
It’s because CEOs have a different view of risk than that of security people; they’re more risk tolerant.
CEOs view risk through the prism of maximum return on investment. That’s what they get paid to do and are under tremendous pressure to perform. What’s most important to them is protecting the brand, sustaining operations, growth, and new business opportunities. They accomplish those objectives using a playbook that includes new products and services, opening new markets, using new technology to improve efficiency and productivity, and cost-cutting. Each of those plays has inherent risk.
As a result, on balance, given the choice between a higher risk decision that will produce a higher ROI and one that has lower risk and ROI factor, today’s CEO will take the risk. For a CEO, avoiding risk in a competitive environment can be the higher risk choice.
CEOs don’t care about understanding the technical aspects of security but they do consider risk; controlled risk.
One of the traps that security personnel are prone to is the tendency to go all in and try to mitigate every risk. We’re trained and educated to do that. That’s not a bad thing; it’s just a harder sell.
If we approach risk with a viewpoint similar to that of the CEO – the long-term goals and vision for the organization – we’re more likely to be successful in getting buy-in and support for the resources required to protect the assets most needed to achieve those objectives.
Risk Assessment: A Pillar of Security Planning; is a white paper by David Johnson and Gale Ericksen of ITG Consultants that offers both a quantitative rationale and a qualitative method to help the CEO and CSO align priorities that enables the CEO to pursue his ROI objectives and give the CSO the tools needed to make that possible.
That changes the conversation.
“Risk assessment will help us make more money.”
“Everybody knows that.”
Michael Nossaman is founder of the SBC
Photo: Svilen Milev