I’m glad to see that Gartner have taken my advice from last September and in a new research note entitled “Tutorial on How to Move Beyond Security Awareness to Create a Risk-Conscious Culture” advocate an approach of
Replacing the word “No” with the phrase “Yes, and …” is a simple change in style of communication that can make a big difference in how the risk manager’s role and contribution are perceived.
It’s an important point because taking a negative stance towards requests for new services will eventually result in a loss of credibility.
Responsibility works in both directions – if you turn down a request then what impact is that having on the functioning of the business? Remember that business teams have deadlines to meet and your information security policies will not be uppermost in their thoughts as they strive to meet targets within budgets and earn the revenue that pays your salary. My previous blog makes the point that you need to also use intuition. Just how much risk is really involved?
That doesn’t mean you’ve now allowed the business carte blanche to trample over all the good practices that you’ve strived hard to put in place. It simply means that a reasoned approach where risks are explained, alternatives proposed, and quick action is taken will win you respect and keep the wheels of the business turning.