Using the Risk Management Process to Effect Change

Over the many years I have been in IT and Security, one item repeatedly comes up.

How can a Security Organization effect change when the operations and “regular people” are unwilling to make changes?

It is a maddening problem. You know these issues need to be resolved, but the “regular people”, the owners, the customers (or whatever they are called) follow what I call the Ostrich approach. They just bury their head in the sand and ignore the issue, pretending it does not exist. Or….they sign off on a risk and think that signature means they are now protected…the signing off on the risk made the risk to actually go away.

Many times, we as Security do NOT have the governance we really require to effectively protect our companies. We need to find other ways to implement change. This way is typically thru the Risk Management process. Here, we can actually call out the bad behavior, design, etc into a Risk Acceptance that is required to be signed by people far above us. This gets these issues on the plates of upper management, even C series positions to then see how the business in some fashion is putting the company at risk.

This obviously ONLY works if the people needing to sign off on these are in the C-suite and can push down some dictates.

Use your power to write a convincing RISK and escalate it to upper management.