Frank McGovern

As a security professional, it is important to remember that the work you perform is for the business. This means that what you do almost always applies holistically to the organization. Businesses work in risk management while achieving their business objectives. Security falls into that vertical of risk management; it exists as an enabler for the business so that it can thrive by continuing at full speed in a world full of cybersecurity risks.

When we look at an organization, the leaders of them are essentially the business itself. A good chief executive officer views the company as their own. In some cases, such as private companies, this is exactly the case since they are typically the founders or owners of the business. When looking at a public company, it is often a board that has chosen who is best to be the head of the business. Leading involves determining what is the best direction and management of the organization. A responsibility of having this role is defining how risks are managed. This can be through several ways: accepting risk, transferring risk, mitigating risk, or avoiding risk.

While risk includes many things beyond security, your role in security is to help manage those risks associated to security. Even though many organizations are not managing security risk properly yet (e.g., not having a security risk register), the risks still exist and may be getting “cherrypicked” often from basic concepts or generalized industry guidelines.

All of this is meant to make you understand that even if you do not notice that you are doing risk management, you are. It may not be so obvious but choosing to implement an antivirus is you deciding that malware on machines is—or could be—a problem and then working to mitigate that risk. With that said, it is important to understand that risk management funnels up. What you consider a risk might not align with what your manager sees as a risk and the executive suite may also have a differing opinion.

There is much you can do to properly identify risks and speak to their actual quantification, that is, the actual likelihood and impact a risk can have to the business. This can be anything from simply putting a simple problem statement to a solution, building a formal security risk register, and/or even presenting risk management suggestions to one or many executives. In doing so, you maybe will create a presentation or a well-written one-pager explaining the scenario and your business case. The executives’ decision is to then decide what is best for the business. In some cases, the business (remember, leaders of a business are the business itself) may not agree with you. This could be for numerous reasons, even including the fact that you may not have properly reflected the risk and management option well enough. And that sucks. This is where it is important to remember that The Business Is Always Right, even if you think they are wrong or they actually are wrong and one day the risk hurts the business!

Take these opportunities where the business disagrees with you to perform a lessons learned. Only you and others that report to the executive(s) know them and what they like to see or hear. You can reflect on how you should better approach it next time. Even if you do not want to hear it, your role involves some sales skills sometimes. Most importantly, try not to take risk management personally by marrying yourself to your solutions. You can shed feelings by always remembering that The Business Is Always Right.