The comment left on my previous entry led me to an excellent blog at http://www.emergentchaos.com/.
One of the contributors to that blog, Arthur, makes an interesting and very true point: “security is 90% about marketing and sales and 10% about technology.” I’ve made similar comments throughout this blog that managing risk is very much about dealing with perceptions and being able to communicate the right messages.
One of the ways I’ve been doing this recently is to present a list of risks to product owners and ask them the questions “how concerned are you about each of these risks?”, “how well do you think you are doing in mitigating them?” This approach has led to a number of very frank and revealing discussions where not only have my audience learnt something but I’ve become more aware of what the business concerns are and taken feedback on how to better communicate security issues to a non-technical audience.
In fact, I’m working today on various related follow up processes: in particular making sure that all of the right resources are easily available and that communication of how to get to them and use them is clearly stated. I’m sure that this will be a continuing theme.