6 Reasons Why Business Managers Ignore IT Security Risk Recommendations

Information security professionals get frustrated when their concerns are seemingly dismissed by business managers who accept the risk instead of approving the proposed remediation strategy. There are many reasons why infosec personnel’s IT security risk recommendations may not be accepted, including:

  • Business managers may be better-suited for making risk decisions than information security professionals, and are wise to accept the risk. For more on this, see Risk Decision Making: Whose Call Is It? by Jack Jones.

As information security professionals, we can do a lot better at presenting IT security risk recommendations in a more practical, business-relevant and persuasive manner. To improve, we need to first understand why our advice appears to be ignored. The list of reasons that I presented above isn’t complete, but it might be a good starting point.

For a follow-up to this post, see The Endowment Effect in Information Security.

Lenny Zeltser

31 notes

Show

  1. pleb reblogged this from lennyzeltser
  2. lennyzeltser posted this

Blog comments powered by Disqus

  • posted 25 April, 2011

  • 31 notes for this post