Know the Alternatives When Negotiating IT Risk Mitigation Approaches

There are several reasons why business managers ignore IT risk recommendations from information security professionals. One of these is the perception that acting upon the advice is too costly or not practical. You can tackle this issue by presenting several alternative ways of mitigating the risk, giving the business manager an alternative to simply accepting the risk.

IT Security Risk Mitigation Alternatives

When information security professionals identify IT risks, they tend to think of the most reliable way of addressing the problem. That can be expensive. If a business manager believes the cost of fixing the issue outweighs the benefits, he or she will probably keep things the way they are, electing to maintain the status quo by accepting the risk.

In anticipation of this, prepare several risk mitigation options. For example, the most reliable way to deal with a vulnerability in a web application might be:

  1. Fix the security flaw in the code; and
  2. See whether Secure Development Lifecycle (SDL) should be implemented or modified to make it harder for such issues to reappear.

Implementing these steps can expensive and may feel overwhelming to a business manager. In this situation, consider discussing an alternative that may be less costly, though perhaps less reliable in the long term: implement a virtual patch using a Web Application Firewall (WAF). This might buy the organization some time to budget for and implement the more reliable solution (code fix and SDL).

Best Alternative to a Negotiated Agreement

Treating the risk discussion as a negotiation, the information security professional might be more effective at persuading the business manager to agree to the more reliable mitigation approach. One aspect of negotiations that might help is Best Alternative to a Negotiated Agreement (BATNA)—a concept discussed in book Getting to Yes by by Roger Fisher and William Ury.

BATNA is the course of action that a party in negotiations can take if an agreement is not reached. According to Fisher and Ury, knowing your BATNA can protect you from "accepting terms that are too unfavorable and from rejecting terms it would be in your interest to accept."

Dr. David Venter points out that when determining his or her BATNA, the negotiator should:

  • "Brainstorm a list of all available alternatives that might be considered should the negotiation fail to render a favourable agreement;
  • Chose the most promising alternatives and expand them into practical and attainable alternatives; and
  • Identify the best of the alternatives and keep it in reserve as a fall-back during the negotiation."

Information security professionals can consider their favorite way of dealing with the IT risk as their preferred outcome of negotiations. At the same time, they should understand their BATNA—the next best way of handling the security issue. This approach might provide them with the ammunition to be more persuasive in risk discussions with business managers.


About the Author

Lenny Zeltser develops products and programs that use security to achieve business results. He is the CISO at Axonius and Faculty Fellow at SANS Institute. Lenny has been leading efforts to establish resilient security practices and solve hard security problems for over two decades. A respected author and practitioner, he has been advancing tradecraft and contributing to the community. His insights build upon real-world experience, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more