Know the Alternatives When Negotiating IT Risk Mitigation Approaches

There are several reasons why business managers ignore IT risk recommendations from information security professionals. One of these is the perception that acting upon the advice is too costly or not practical. You can tackle this issue by presenting several alternative ways of mitigating the risk, giving the business manager an alternative to simply accepting the risk.

IT Security Risk Mitigation Alternatives

When information security professionals identify IT risks, they tend to think of the most reliable way of addressing the problem. That can be expensive. If a business manager believes the cost of fixing the issue outweighs the benefits, he or she will probably keep things the way they are, electing to maintain the status quo by accepting the risk.

In anticipation of this, prepare several risk mitigation options. For example, the most reliable way to deal with a vulnerability in a web application might be:

  1. Fix the security flaw in the code; and
  2. See whether Secure Development Lifecycle (SDL) should be implemented or modified to make it harder for such issues to reappear.

Implementing these steps can expensive and may feel overwhelming to a business manager. In this situation, consider discussing an alternative that may be less costly, though perhaps less reliable in the long term: implement a virtual patch using a Web Application Firewall (WAF). This might buy the organization some time to budget for and implement the more reliable solution (code fix and SDL).

Best Alternative to a Negotiated Agreement

Treating the risk discussion as a negotiation, the information security professional might be more effective at persuading the business manager to agree to the more reliable mitigation approach. One aspect of negotiations that might help is Best Alternative to a Negotiated Agreement (BATNA)—a concept discussed in book Getting to Yes by by Roger Fisher and William Ury.

BATNA is the course of action that a party in negotiations can take if an agreement is not reached. According to Fisher and Ury, knowing your BATNA can protect you from "accepting terms that are too unfavorable and from rejecting terms it would be in your interest to accept."

Dr. David Venter points out that when determining his or her BATNA, the negotiator should:

  • "Brainstorm a list of all available alternatives that might be considered should the negotiation fail to render a favourable agreement;
  • Chose the most promising alternatives and expand them into practical and attainable alternatives; and
  • Identify the best of the alternatives and keep it in reserve as a fall-back during the negotiation."

Information security professionals can consider their favorite way of dealing with the IT risk as their preferred outcome of negotiations. At the same time, they should understand their BATNA—the next best way of handling the security issue. This approach might provide them with the ammunition to be more persuasive in risk discussions with business managers.

Updated July 1, 2015
Lenny Zeltser

Did you like this?

Follow me for more of the good stuff.

About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more