Security as a Subset of Risk Management

What does Risk Management mean to you?  If you have read my blog you know that I focus on topics like Security or Compliance.  You may have noticed, as well, that my title is Chief Risk Officer and you may have wondered how this fits together.  Compliance cannot exist without the appropriate controls (security) in place.  Moreover, Risk Management can be said to be the art of balancing the value of the cost of a control versus the value of the benefit derived from the control.

I have spent most of my career dealing with security controls and compliance.  After a while, it occurred to me that in order to convince someone, usually an executive, of the need for spending money on a control, I had to convince that executive of the value derived from implementing that control.  The value of the cost for a control can have multiple factors.  The most obvious being the cost to initially acquire the control, whether that is software, processes, personnel or any other number of costs.  One sometimes ignored component of the cost of a control is the cumulative cost effect.  Just about every control has costs associated with acquisition, administration, maintenance, and regression testing to name a few.  Every time you add an additional control, the costs for administration, maintenance, testing and complexity are at a value greater than if the control were stand alone.  This is because some controls conflict with others or make administration more complex.

Many executives see security professionals demonstrate this concept repeatedly.  The rational used for justifying these costs are Fear, Uncertainty and Doubt (FUD).  Claims of utter destruction and the end of the world (with all due respect to those that thought the Mayans were doing just that) are often used to generate FUD.  These security professionals are often frustrated that executives do not support their programs or believe their claims.

Another perspective taken is that with more controls, you reduce your risks from the negative effect of attacks, calamities and such.  Although this is true, to a degree, bringing those risks down to a negligible level often requires many controls.  Now we circle back to the ever increasing costs of controls.  Even if FUD is used successfully for the initiation of a security program, it can neither be sustained nor repeated for it would leave the executive out on a limb on the tree of FUD.

What is the best way to avoid FUD, put in enough controls and not spend too much on them?  Consider the chart below.  Life is never quite this simple but if we accurately articulate the costs of controls AND the associated reduction in potential losses, achieving the answer is always easy.  Never spend more on a control than you would lose if you did not have the control.

Recognize that the value of the benefits is multi-faceted.  Increased productivity, opportunity costs, competitive advantages are just some of the values that need to be factored in.  By keeping this perspective in mind, good and effective security controls will play a vital part in your risk management program.

Fear, Uncertainty and Doubt (FUD)


Jeff Reich, Layered Tech Chief Risk OfficerAbout the Author: As Chief Risk Officer at Layered Tech, Jeff Reich (@LayeredTechCRO+Jeff Reich) drives the company’s security and compliance services and guides risk mitigation efforts for clients. With more than 30 years of experience, Reich is a well-known risk management and security expert in the industry. He holds CRISC, CISSP and CHS-III certifications and is an ISSA Distinguished Fellow.

3 Responses to “Security as a Subset of Risk Management”

  • Great post Jeff! Very insightful information on a complex topic…

  • Chris,

    Thanks for the kind words. It’s great to hear from you!

  • Quite well summarised and helpfulm indeed.
    In practice, what often lacks in implemented risk controls/security seems to be the “bottom-up” system. Compliance to security measures and rules requires motivation of ALL persons concerned no matter their rank in hierarchy.
    Today, we see a vast majority of “top-down” systems without participation and/or motivation of the people at the bottom end of the hierarchic pyramid who regards risk management as another red tape imposed by the “execs”.
    This seems to be a very important factor for the success of a program, isn’t it?

Comments are currently closed.