“Our businesses are in the business of taking risks. That’s what we do for a living. We spend money in hopes of making more money. And so we already have some risk tolerance built in,” said Andy Ellis (@CSOAndy), CSO of Akamai Technologies in our conversation at the 2013 RSA Conference in San Francisco.
“People have a set point of how much risk they’re willing to tolerate. Until you start to understand that you’re going to have a hard time convincing them to prioritize some risks and not other risks. What we need to do is tap into that risk tolerance and make sure the risks that are security related against that gamble of making more money are well understood by the business because that will change their calculation,” said Ellis, who notes it’s actually a mental calculation and not necessarily something you can calculate on paper.
Business owning the risk
“If the security team owns the risk then the business will just take more risk,” said Ellis of the old days of risk management where infosec owned the risk and the business would just forget about it. Today, the business owns the risk and they have to sign off on it. At Akamai, understanding your risk profile is a forced exercise every time you have another release.
“Now [the business] carries it forward into their next release, so they’re more likely to fix those problems or make fewer problems in future releases because their risk budget is already being strained by these other risks,” said Ellis.