« It can happen anywhere | Main | Saturday Soapbox »

Perceptions are the key to mitigating risk

How are you viewed within your organisation? Is Information Security seen as an automatic invitation to new project meetings and product reviews, or do peers try to avoid discussing things in too much detail with you just in case they mention something that is out of compliance with policy?

I've spoken a lot about perception already in this blog but I keep coming back to it because to be effective in managing security it's important that the right people are open to working with you and that you are perceived in the right manner. More importantly; as an ally rather than adversary.

If you're in a small organisation rather than the sort of mega-global enterprise that I work in then I don't know if your task is any easier. Maybe it is because you have fewer people to deal with but then again maybe it's more difficult for exactly the same reason.

If I had to sum up the single biggest challenge that I have faced during 2006 in addressing and mitigating risk, it is not technical, it is not operational, it is interpersonal. Every single issue I've raised, presentation I've given, risk assessment I've produced has needed to be tabled in front of multiple groups of people who all need convincing as to the truth, accuracy, and value of what I am saying. If you want people to take time and spend money in the name of risk mitigation then you need to be able to paint a picture in words, appearance and (frequently) PowerPoint in order to have the issue addressed.

Now, it's easy to say that a governance model with teeth would get around some of this issue. But I don't buy that. Sure, if you are in the military then a corporal can go tell a private to dig a hole and the job will get done without question. But here in the business world where your time is measured in an hourly rate and where you'd rather be adding a new ring-tone to your BlackBerry than having to listen to another techie telling you that the world is about to end, then we need to be convincing.

So, in which case can anyone do this job if all they need is a nice suit and a clear voice? I'll let you answer that one....


Tags:

Posted by Stuart King on December 22, 2006 9:00 AM
| View blog reactions

TrackBack

TrackBack URL for this entry:
http://www.computerweekly.com/cgi-bin/mt/mt-tb.cgi/1183

Listed below are links to weblogs that reference Perceptions are the key to mitigating risk:

» Selling Security from Making the World More Secure
Over in his excellent blog at Computer Weekly, Stuart King writes about the importance of being able to convince others of the need for security. This seems to be a common theme in the industry at the moment. Everyone's talking... [Read More]

Tracked on December 22, 2006 10:43 AM

Comments (1)

Andy Cunningham:

We all know perceptions are the key in this. What we really need are some good concrete examples of techniques that have worked to help convince people of the value of security.

Posted by Andy Cunningham | December 22, 2006 10:42 AM

Posted on December 22, 2006 10:42

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on December 22, 2006 9:00 AM.

The previous post in this blog was It can happen anywhere.

The next post in this blog is Saturday Soapbox.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type Enterprise 4.1-en