Andy Ellis: We're Already in the Business of Risk : The State of Security

March 20, 2013 9:00 pm Published by David Spark

?Our businesses are in the business of taking risks. That?s what we do for a living. We spend money in hopes of making more money. And so we already have some risk tolerance built in,? said Andy Ellis (@CSOAndy), CSO of Akamai Technologies in our conversation at the 2013 RSA Conference in San Francisco.

?People have a set point of how much risk they?re willing to tolerate. Until you start to understand that you?re going to have a hard time convincing them to prioritize some risks and not other risks. What we need to do is tap into that risk tolerance and make sure the risks that are security related against that gamble of making more money are well understood by the business because that will change their calculation,? said Ellis, who notes it?s actually a mental calculation and not necessarily something you can calculate on paper.

Business owning the risk

?If the security team owns the risk then the business will just take more risk,? said Ellis of the old days of risk management where infosec owned the risk and the business would just forget about it. Today, the business owns the risk and they have to sign off on it. At Akamai, understanding your risk profile is a forced exercise every time you have another release.

?Now [the business] carries it forward into their next release, so they?re more likely to fix those problems or make fewer problems in future releases because their risk budget is already being strained by these other risks,? said Ellis.

?

Decision image courtesy of Shutterstock

---

Tags: Andy Ellis, budgets, Connecting Security to the Business, Information Security, Infosec, Risk management, RSA, RSA 2013, RSAC, Security Strategies

Categories: Connecting Security to the Business

---

This post was written by?

David Spark has contributed 137 posts to The State of Security.

Google+ David Spark

Contact David Spark

David Spark is a veteran tech journalist and founder of Spark Media Solutions, a media consulting and production company. Acting as the "media" of "social media," Spark Media Solutions helps its clients be seen as leading voices in their field through brand-quality media production and distribution through top tier media channels.

Source: http://www.tripwire.com/state-of-security/it-security-data-protection/connecting-security-to-the-business/andy-ellis-were-already-in-the-business-of-risk/?utm_source=rss&utm_medium=rss&utm_campaign=andy-ellis-were-already-in-the-business-of-risk

rick ross yahoo finance iOS 6.1 BlackBerry aapl Kwame Harris Vine