The CSO perspective on risk management
by Mirko Zorz - Editor in Chief - Thursday, 9 May 2013.
People need to be provided the security awareness and training that pertains to their job function. People get overloaded with information as it is, so providing security messages based on role or function is key. A consideration is to be sure to provide examples of “why” it is important. People want to do the right thing, so if they know why they must use a certain safeguard – they will. Another tip is to provide messages that people can personally relate to and then remind them that it is the same “at work”. For example, the week after Thanksgiving many people start their holiday shopping online. I use this opportunity to remind folks how to protect their information, and by the way – they should use the same practice at work.

What lessons have your learned in your current position? What advice would you give to other CSOs tackling the issues surrounding risk management?

One of the business lessons I have learned is to keep building relationships with people. Get to know what their goals are and what their business processes are. Once that is understood, a realistic risk assessment can be done.

Another important lesson has been that security messaging may not always accepted in the corporate culture. So, divide and concur. Identify the key stake holders and how the security message will improve their area. Try to think of what they’re objections may be and be prepared to address them. It is all practical business sense, but many of us in information security have been technically trained, not business trained. I would say that we as a profession need to get on the fast track to get into the business rather than a bolt on… Something that we’ve been trying to do for years and now’s the time to get to it.


How security pros deal with cybercrime extortion

1 in 3 security professionals recommend negotiating with cybercriminals for the return of stolen data or the restoration of encrypted files. 86% of security professionals believed their peers at other organizations have brokered deals with cybercriminals.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Apr 1st