Security risk management is ultimately about prioritising available resources. All the hoops security professionals go through to assess threats, vulnerabilities and risk levels are at the end of the day for them to be able to single out what threats should be countered by which measures in which order.
It is a very positive tendency that the security risk management community increasingly has been focusing on “enabling”. An attempt to ensure that one’s own effort is in line with the organisation’s strategy and objectives and that you support and strengthen rather than limit. In other words, the security manager can go from being the “naysayer” to saying “yes we can do that – if…” and even add competitive edge through how security risks are managed; the footprint you leave, the international standards you comply with, the ability to integrate with your customers’ organisations (how can we add value to our customers’ customers?) or the information you are able to deliver – the possibilities to enable and strengthen the organisation are many.
That is why two of my areas of focus has always been to:
1) involve relevant stakeholders (get inspiration on the “how” with the power-interest grid by Eden & Ackerman, 1998) in security risk management, even though it takes time and you have to accept that you will not look as efficient to sr. management as you could – in the long run, you’ll have a much greater impact. Remember that “effect = involvement x quality” and if you have to change how people work – involvement is key.
AND
2) prioritize implementing the mitigating measures you have evaluated as worthwhile during in the security risk assessments. It is a trap to get deeply fascinated by the colours of your heat maps and details of your risk register that you tend to forget what it’s all about – implementing measures that impact the level of risk your colleagues (& customers?) are facing. It is the basic discipline in business “Project Management” that will change things “where the metal meets the meat” or in business language – where you meet your customers’ needs.
To keep it short; put effort into identifying and implementing the mitigating measures that support your organisation and prioritise the involvement of relevant stakeholders.
The author is the CEO & Founder of “Human Risks” – an online platform for security risk management where identification of mitigating measures, management and involvement is in focus. Read more on www.humanrisks.com