I cringe when saying this, but organizations need to start consolidating all risks into one risk portfolio. Too often Security holds the technical risk for the organization, without pronouncing this outside the CIO. Technical risk should be one more input into a bigger, broader risk management approach, allowing the organization to understand all facets of risk, which would precipitate better decision-making and distribution of resources. You think the CFO has trouble obtaining budget? As we saw with the banking environment, Security could have identified a huge gaping hole from the outside that would allow full system compromise; however, we didn’t ask if the bank had enough funds to stay in business tomorrow. This is called operational risk, and it often trumps technical security risks. With Enterprise Risk Management (ERM) comes a comprehensive risk assessment equation and process. Defining one process that can be used and incorporated into the entire organization will allow for conformity, efficiency, and effective alignment between departments. I would refer you to ISO 31000:2009, which provides principles and generic guidelines on risk management.
Ken Stasiak is CEO and Founder of SecureState