In my role as a business owner and information security consultant I talk to a lot of people. Some of these people are business owners or leaders like me. Others are security or IT professionals. There is one common theme that I see frequently. Outside of the Fortune 500 circle (and even inside it at times) there seems to be a lack of clarity on IT risk management in the company.
From my CEO peers I hear "I can't believe (fill in manager name here) made that decision. Didn't (he/she) understand the risk and what was at stake?" What I hear from this comment is that there may be a communication issue if operational management is making business decisions that "shock" the CEO. Perhaps the manager isn't fully aware of the risk that is seen by the CEO. My question becomes why? A good risk management process works to identify, communicate and mitigate risk within an organization. CEOs who are "shocked" by risky decisions should really evaluate their risk management programs to make sure the people they entrust daily decision making to have the proper information to make good decisions.
On the flip side I hear my IT and security peers say things like "My CEO read my report, couldn't see the risk and chose to ignore my recommendation." What I hear in this is that the individual failed to make a compelling case as to why the risk was so great that it shouldn't be ignored. The CEO read the report, considered the risk and made a decision. While the decision wasn't what the individual had hoped for, it wasn't ignored. The recommendation was considered but the CEO chose not to follow it.
What this tells me is there is a disconnect between business leaders and their operational management or IT and security management. When the two groups aren't on the same page from a risk perspective, bad things happen. CEOs must communicate what they are worried about to their teams if they expect those teams to help them manage risk. And operational teams must find ways to explain risks they discover in terms their CEO will understand and appreciate. Until both teams are working together to identify, communicate and mitigate risk, the bad guys will continue to have big victories.