"Risk" has always been in the information security lexicon; however, the risks we like to talk about aren't the ones that keep executives awake at night. The CEO doesn't care about which firewall you're running or that your antivirus stopped 73 pieces of malware yesterday. So when making the case for a risk-centric security structure, stop throwing out the latest stats about spam or viruses or malicious packets and start talking about the stability and availability of the systems and services that drive the business. The executives we work with worry about what regulators will find in an audit, and if there could be financial repercussions. They care about protecting the company's intellectual property as well as customers' data. They care about not showing up on the front page of the newspaper because of a breach. They care, in short, about the bottom line.
"It's like asking how much money my insurance policy saves," says one VP of IT, in a classic argument about the returns on a risk management program. And of course, quantifying losses avoided or risks mitigated is difficult. But our survey respondents say their risk management programs will provide tangible value. When we ask them about the cost savings or expense of risk management initiatives, their top answer, at 31%, is that they'll save the company a little time and money; 30% say they will save a great deal of time and money.
In the long term, absolutely. For now, most companies we work with find that risk programs aren't simple to implement; they require a deep commitment to change. Holistic is expensive. When we ask what's holding back those companies without formal IT risk management programs, respondents cite a lack of management will, lack of budget, and lack of time and manpower (read: not enough money). Traditionally, risk has been managed in an ad hoc fashion within various organizational silos and business units. Sometimes one individual is responsible for compliance, but more often than not, we see responsibility scattered across various units. Accountability is hit or miss.
Changing that structure isn't cheap or easy, but there's a lot at stake. Globalization and outsourcing are here to stay. Competition is fierce. Either define yourself and your company as an agent of change or get out of the way. And don't think you can do that by narrowing your scope. In our survey, 65% of respondents say their programs don't include operational, financial, or business risks, though they will be expanding. Reduce your sphere of responsibility too much and you may end up on the outside looking in.