It's difficult for risk managers to help decision-makers after a risky choice has been made. Unfortunately for many organizations, that's how traditional risk management programs work — and by the time an assessment has been done, the risky decision has already done its damage.
"We all accept certain amounts of risk in order to engage in business, but at what point is risk too much?" asks Tony Martin-Vegue, senior information security risk engineer at Netflix, who discussed the topic at this week's FAIR Conference.
In most companies, a risk management program covers any aspect of a business that takes on risk. Business leaders make a decision and implement it; the risk team then comes in, tests it, and reports issues. The first time a risk manager gets involved is when these problems are put on the risk register, at which point it's too late to help the enterprise decision-makers, he says.
Risk analysis is forecasting, Martin-Vegue explains. Analysts should want to be closer to the CEO, CFO, CIO, and other executives before major decisions are made so they can help make the optimal choice. Netflix has long used quantitative models, including the FAIR model, to make decisions because it puts threats into context and helps explain risk to business execs.
Most companies use the traditional paradigm of rating decisions as high/medium/low or red/yellow/green, he says. While this works for comparing three or four similar items or prioritizing projects, it does little when a security analyst is faced with three red alerts costing $10 million, $15 million, and $20 million each. Which one should they remediate first?
"You don't know," Martin-Vegue sa ..
Support the originator by clicking the read the rest link below.
