With this article from CSO
CSO: Seciurity(sic) Veto Can Impede Business by By Andreas M. Antonopoulos
Sloppy spelling aside (like I’m one to talk -grin-), I really don’t like the idea of IRM having “veto” power. Ideally, IRM would present a risk analysis for the data owners (you know, the business people) to accept or reject - complete with options to lessen risk. When I say “Accept”, I mean that the data owners will sign a statement that they are the ones to accept responsibility for any losses that might occur should they accept the risk that analysis has identified. A control against liberal acceptance of risk would be to have any decision to accept some level of risk (”high”, perhaps, or by PLM/WCLM) without additional controls to be reviewed by an executive committee.
Of course, this is an ideal situation. In reality, executives probably see this IRM decision as what they went out and hired a CRO and CSO for in the first place.
Note that I said “lessen” above, and I purposefully didn’t use “mitigate” - there’s some sort of connotation these days that “mitigate” means “remove”. Of course it actually means “lessen”, but to me this is a case where simplicity creates a more effective impression in relaying the true meaning of what’s trying to be expressed.
The reason I don’t like the veto? It’s tends to move us towards political “bad cop” or “speedbump”. Either way, too injudicious use of the “risk veto” results in the isolation of IRM out of all the important places where we should be welcomed to the table.
What do you think? Am I way off in “theoryland” here? Is “mitigate” losing it’s effectiveness?
Tags: compliance, information risk, information, risk, risk management, risk_management, information, security, information security, information_security, governance, compliance, enterprise_architecture
(via RiskAnalys.is)
June 22, 2007, 9:32am Comments
