IT security has a tough job. They can find themselves securing certain elements and applications one day, only to come in the next day and discovering those very same applications and elements are no longer secure — resulting in a second (or third, or fourth) attempt at securing the application from a new threat. Erica Chickowski recognizes IT security's need for risk management for this reason alone. Instead of spending each day fixing the same problems each day, why not learn from risk management and consider priority, what benefits the business as a whole, and align the security effort for increased visibility. Risk management helps clear up the confusing elements that IT security alone struggles with:
“Would you spend $2000 to protect something that is worth $2000? It wouldn't make sense, right? Well, without risk assessment, you can't evaluate your risk and hence you can't evaluate what you should be spending,” says Pierluigi Stella, CTO, Network Box USA. “Proper risk management is important to understand even just how much to spend. What are you protecting? What is it worth to you? What will the consequences be to your company if you lose that information or if it falls in the wrong hands? Assess it, and then manage it.”
So what stops IT security from implementing risk management effectively? To start, it's hard to convince stakeholders that risk management is worth the effort. C level executives are too busy to be bothered with the troubles and risks that IT security encounter, and that severely hampers initial attempts to get buy-in from anyone outside of IT security.