Skip to content ↓ | Skip to navigation ↓

For many organizations, Information Risk Management and Security (IRMS) is rapidly advancing in both concept and practice. At such a fast pace, it’s not too surprising that even the most experienced IT Risk and Security professionals will make mistakes.

Recently, John Pironti, CGEIT, CISA, CISM, CISSP, CRISC, ISSAP, ISSMP and President of  IP Architects, LLC co-authored a useful executive brief with Tripwire’s Chief Technology Officer, Dwayne Melancon.   Both John and Dwayne have spent many years not only practicing and learning in the industry, but talking with CISOs and other IT security and risk professionals out there on this topic.  In this paper, they discuss the five most common mistakes to avoid in managing risk and security.

The top 5 mistakes to avoid:

  1. FOCUS ON SECURING TECHNOLOGY INSTEAD OF BUSINESS PROCESSES AND DATA
  2. DEVELOP METRICS AND MEASURES WITHOUT THRESHOLDS AND ACTIONS
  3. USE THE WORD “RISK” WHEN YOU ACTUALLY MEAN “THREAT” OR “VULNERABILITY”
  4. TRUST, BUT FAIL TO VERIFY 
  5. FEAR THE AUDITOR MORE THAN THE ATTACKER

No matter how big, small or many mistakes are made, there is potential for long-lasting negative impact to your business. When we understand what those common mistakes are and learn from them, we will be more successful with IRMS. That’s the goal here. If this interests you, you can read more about the topic in the full 4-page executive brief.

executive briefDownload the Five Mistakes to Avoid in Information Risk Management and Security executive brief here.

What makes your top 5 mistake list? Share with us below. Or, reach out directly to @ThatDwayne or @JohnPironti and let them know what you think. There is opportunity for all of us to learn.

All the best,

@crystalmiller

Related Articles:

2012 Ponemon Report: The State of Risk-based Security Management

Risk Management: Are you Walking the Risk Talk?

Risk Management: What Could Happen, Why, and When?