Shostack + Friends Blog Archive


Risk Management Redux

Earlier this week, Mike Rothman took a swipe at Alex Hutton’s What Risk Management Isn’t by saying:

But I can’t imagine how you get all of the “analysts and engineers to regularly/constantly consider likelihood and impact.” Personally, I want my firewall guy managing the firewall. As CSO, my job is to make sure that firewall is protecting the right stuff. To me and maybe I’m being naive and keeping the proletariat down, but risk management is a MANAGEMENT discipline, and should be done by MANAGERS.

I have to disagree here. Risk management in the end is the responsibility of management and as such the final decision belongs to them. But how can I as a manager make the right decision and know that a firewall is protecting the right stuff, if my team isn’t well educated on what the risks are? How am I supposed to make the right decisions if don’t know what the issues are? I need to have a staff of analysts, architects and engineers that I can trust to be regularly analyzing and evaluating the systems, applications and networks, so I can make the right choices or recommendations. I don’t need someone who blindly follows a help desk ticket. I don’t know a single CSO who wants to be micromanaging those sorts of decisions.

3 comments on "Risk Management Redux"

  • I kind of like the perverse incentives that an in-house prediction market would create…

  • Chris says:

    “If you don’t install that foosball table, the database server is gonna get pwned! You wouldn’t get the technical details, but believe me — I’ve seen it before.”

  • Alex says:

    What about common language? In your experience, have you had much frustration with people mixing threat, vulnerability, risk, etc…?

Comments are closed.