Security vs Risk Management

Steve Horstman
Jul 10, 2017 · 2 min read

Seemingly nuanced word choices can matter impactful ways. In our profession there is no more striking example than the word security. It’s ubiquitous in our roles. We work in Information Security groups. We are security professionals. Therefore our jobs must be to secure our organizations.

I sure hope not. Anyone out there work for a secure organization? Have that sucker all locked down? Can’t be hacked? Confidentiality, integrity, and availability all covered?

If our jobs are to secure our organizations we’ve all failed. Miserably. It’s possibly the most sweepingly complete failure of a group of people since folk in 1970’s tried to dress themselves.

As ridiculous as the idea of absolute security may seem, laypeople everywhere take it very seriously. There are large numbers of residents who overestimate their security because they have a security system. There are millions of citizens and politicians willing to give governments sweeping and unchecked powers in the name of security. And more to this point, there are thousands of CEOs and board members who think that if they have a security team then they are secure. Sadly a natural corollary of that flawed theory is that if an organization has been compromised than the security team has failed.

Our real failure may have just been using the wrong word. The use of the word security marks our failure as clearly as bright plaid and bell bottoms

As security professionals we may be all failures in the end, but as risk managers we have hope for success.

As security people our job it to make things secure. As risk managers our job is to identify, evaluate, address, escalate, and track risks.

As security professionals we pull our hair out and curse our corporate overlords for not backing our initiatives. As risk managers we outline potential controls and the risks they address (without exaggeration) and calmly accept management’s informed decision knowing that we’ve done our jobs.

As security professionals we work endless hours to make up for the funds that management should give us but won’t. As risk managers we clearly state what can be accomplished with existing resources and what can’t and live up to our promises letting management decide that if more needs to be done.

“Security” is a pipe dream. It inherently implies that the impossible is possible and we should all work to banish it from our vocabularies.

Congratulations! You’re all risk managers now.

Steve Horstman

Written by

Steve (CISSP) has worked in IT Risk Management since 2003. He has twice developed risk management programs for medium sized financial institutions.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade