I’m on the plane heading back home from Symposium and have to admit I noticed a really weird trend this week. Maybe not a trend per se, but something I haven’t heard before, and I heard it more than once.
In two separate one on one meetings clients told me they’d reorganized their security teams and were now calling them “risk management”. No security anymore, just risk management.
I’m a big proponent of risk management. I even wrote a framework before it was cool (the Gartner Simple Enterprise Risk Management framework if you want to look it up). Now all the kids are into it, but I get worried when any serious topic enters the world of glamorous trend. Usually it means anyone with a tambourine starts jumping on the bandwagon. Problem is, without a lead guitar, drummer, keyboardist, or even, god forbid, a bassist, there’s a lot of noise but they ain’t about to break out in a sudden rendition of Freebird. Probably. Not.
Risk management is a tool used by security practitioners, and security is a powerful tool for risk management. If you catch me in a rare moment of spiritual honesty I’ll even admit that security is all risk management. I even often recommend that security report to a Chief Risk Officer (or your title-happy equivalent). Risk management is mitigating loss or the potential for loss. Security is one tool to reduce risk, and a good security team uses risk management as a technique for balancing the costs and benefits of security controls and deciding where to focus limited resources. (At this point I’d like credit for not expanding the innuendo of the title with some… uh… circular arguments. I’m not completely juvenile. Probably. Not.)
But dropping the name “security” is just silly. Both security and risk management are established disciplines with related but different skills. Risk management plays the higher-level role of evaluating risk across the enterprise, helping business unite design risk controls, measuring exposures, and taking action when those exposures exceed tolerance. It’s a guiding role since risk managers will NEVER have the same depth of domain expertise as someone with years of experience in their particular business specialty.
Security is one of those specialties (and notice I didn’t just say “information” security). Yes, good security professionals have strong risk management skills since nearly every security decision involves risk. That doesn’t mean we’re experts in all types of risk. It does mean we’re domain experts in ensuring the confidentiality, integrity, and availability of either IT systems (for us geeks) or the physical world (for us goons).
It’s security. Don’t re-label it risk management. It’s okay to report to risk management, but it’s still security.