For quite a while now, I’ve been claiming that in order for InfoSec to do it’s job properly, it needs to understand the business. Yesterday, Jack Jones again showed that he’s in the same camp when he asked us: “Risk Decision Making: Whose call is it?” There he shares his thoughts how to decide whether or not the Information Security team should be making information risk decisions for a company or if that should come from upper management. True to form, Jack clearly lays out the issue (complete with great graphs). Read the entire post, because it’s really worth it. In particular though, check out the things to consider section.:
The simple fact is, security leadership will never know as much about the business-related elements at the top of the illustration, and business management will never know as much about the risk elements at the bottom. Consequently, if security is empowered to make the major decisions, then they need to spend the time and effort to learn as much as they can about the business-related elements. On the other hand, if business leadership is making the major risk decisions, then security must provide clear, unbiased, and useful information so that the decisions are well informed.
I don’t disagree with Jack in the least. However it’s important to really that even if we’re dealing with that later scenario, this means that security still needs to know a whole lot about the business or they can’t possibly articulate the correct information in a way that senior management can understand.
And if the above rationale isn’t good enough on why you as a security professional need to understand the business, try this on for size:
A decision-maker will to some degree ALWAYS apply his or her own personal risk tolerance to a decision. Consequently, if security leadership has been empowered to make major risk decisions, they should try very hard to be as aware as possible of business management’s risk tolerances. If security leadership isn’t careful on this, then they will, invariably, run into issues where business management doesn’t support security’s decisions. And if the misalignment is bad enough (and I’ve both witnessed this and come close to having it happen to me – long ago) then it can become a “terminal” condition. At the very least it makes the waters far choppier than necessary.