Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

Chapter 2. Risky Business > Business-Driven Security Program - Pg. 28

28 CHAPTER 2 Risky Business authorized time. Violations of this can take many forms, many of which we will explore throughout this book. The discipline of risk management will give you the tools to qualify the real risks to your organization and prioritize the remedia- tion of exposures. In the end, you need to be able to articulate the risks and justify the recommended mitigation steps to the organization in terms the nontechnical management can understand. BUSINESS-DRIVEN SECURITY PROGRAM As previously discussed, every organization has a certain threshold for risks across the entire business; the challenge is gauging the executive team's risk appetite before an incident occurs. Whenever you join a new organization as a risk man- ager, it is important to take some time to observe how the business functions and understand the decisions that are being made. With this insight, you should begin to profile senior management's tolerance for risk in different areas. You can expand on this knowledge through direct conversations with the executives about areas of concern or even host more formal tabletop exercises to talk through likely incident scenarios. The important point is to use this as an opportunity to listen and profile the risk appetite of the organization through the lens of senior manage- ment. This idea of profiling your organization is explored in greater detail at the end of Chapter 4. TIPS & TRICKS Don't underestimate the power of just listening. Security professionals may be used to doing a lot of the talking, but listening and careful observation can be invaluable tools! Work Smarter, Not Harder When developing a security program, you need to start with the organization's objectives and identify how the security program can help achieve them, not the other way around. If you can't map a security initiative to a business objective, then you probably shouldn't be spending time on it. It can be overwhelming try- ing to tackle the hundreds or even thousands of vulnerabilities your organization may have, so you need a consistent and simple way to prioritize remediation for the organization. Limited time, money, and resources are always going to be a reality, so it is important to be strategic and not spend your political capital on the small stuff. If you are escalating a critical issue to the senior management, make sure that it is comparable with other organizational risks that your initiative might be pulling resources away from. Even the most experienced and disciplined security professionals fall into the trap of information overload. There are just so many sources for potential and