Been awhile since I publicly blogged. Between family, work, school, podcasting, helping run the Society of Information Risk Analysts (SIRA) and some public speaking – time has been limited. I want to briefly write about targets today.
I have had the privilege to speak twice in the month of May. The first engagement was at Secure360, an awesome regional information security conference based out of St. Paul, Minnesota. Mr. Jack Jones and I partnered up to give a talk about having a ‘seat at the table’. Specifically, speaking in a language that our IT and business leaders understand, establishing perspective, gaining influence, and providing value to our leaders so they can effectively manage risk. The talk appeared to be well received and there have been a few follow-up conversations with some information security professionals that want to up their game – which was the point to begin with.
Earlier this week I had the privilege to speak about IT risk management – specifically IT risk quantification – as part of the ‘CIO Practicum’ series at the University of Kentucky. The theme of this particular event was “Security for Grown-Ups”. I found myself in a room of IT and business executives who came to get a glimpse of how information risk management functions can begin adding value to the business or organization. My take-away from the event was that IT and business executives are craving value-add from information risk management functions (security, continuity management, compliance, etc.). Let me repeat in bold capital letters: IT AND BUSINESS EXECUTIVES ARE CRAVING VALUE FROM INFORMATION RISK MANAGEMENT FUNCTIONS.
So here is the dilemma. Information risk management professionals want to add value and our IT and business executives want [expect] value. How can we achieve goodness?
In order to achieve goodness, you and your leadership have to define it for your organization – you have to have a vision or a target to direct your efforts toward. It requires relationship building with your leadership and executives to develop a sense of mutual trust, perspective and shared understanding about why the organization exists, how the information risk management function fits into the organization as well as how the information risk management function contributes to helping the organization reach its goals and fulfill its strategy.
If you are an information risk practitioner, security, continuity management or compliance professional – what is the target that the outcomes of your efforts are directed towards? If you don’t know – figure it out quickly. Better yet – if your manager or other leaders cannot tell you then be proactive and work with your leadership to help define it.
If you are an IT or business executive that happened to stumble on this blog post – let me ask you a question. Have you established a vision or target for your information risk management function(s) to direct their efforts toward? If so – how is it working out? Is value being added? If a vision or target has not been established, why not?
Thoughts?
Risktical Ramblings 
Risk management, analysis, assessment etc., has always been an interesting dynamic of InfoSec that I think if properly presented and delivered would be like taking candy from a baby regarding Executives or C level personnel. At the end of the day it’s all about money, if you could tell the director of operations at xyz corp that he would shave %20 annually from the IT budget, you could sell them a box of diapers. The conundrum, at least for me, is how to identify, articulate (non-tech), then of course quantify how much $$$$$ is saved from any InfoSec related solution. It’s like selling stocks or similar, the majority of the content presented is non-tangible and essentially in the eyes of most execs just a big IF type scenario and those are hard to sell and prove ROI.
“Risk” is primarily subjective and it is nearly impossible to quantify another person’s subjective reality of any given situation. Yes you can pour out all the stats, and facts and whatever else to try and convince an exec that yes solution “supersecure” is going to save them money because they know that most risk analysis data is intangible and has a low percentage of occurrences in the real world. I have been in IT for 12 years with about eight of those years involved with InfoSec, have some certs but the only one to me worth really anything is my OPST (http://www.isecom.org/verify_people/) from ISECOM ( http://www.isecom.org/) which really solidified my grasp on conceptual vs. applicable knowledge.
I do a lot of freelance projects for small businesses and residential users mostly can troubleshoot or provide a solution to any situation. Unfortunately not many have been InfoSec projects. Its jus not something key business personal really looks at or for. I would rather do Assessments and Test identified organizational risks but I am a one man show and it’s hard to sell. First and foremost i need to support myself and my family so any work I will take.
So the target outcome has to be monetary at the root, and quantifying risk to me is so chaotic, everyone has a model or method but each situation is entirely unique so I don’t know how there can ever be a single standardized approach. It would have to be modular, fluid and able to evolve. Also there needs to be a psychological element like social engineering or mind hacking to sell your risk hardening solution.
I almost never blog or respond to anything but your article is the first I have seen that presents itself like a natural conversation/thought rather than all the canned cookie cutter stuff I come across. I would be really interested in a risk management framework based on a fluid uncanned approach rather than just a pre-conceived checklist.
I know it sounds gunslinger and perceived as unprepared, that is why I have not pushed it very much when doing consulting, but I am always thinking about what and how I could use that approach without looking like a novice.
Well that’s my take on the subject. How do you present and deliver the target outcome? If anyone has knowledge of a methodology based on my statements let me know.
Thanks