Information security professionals get frustrated when their concerns are seemingly dismissed by business managers who accept the risk instead of approving the proposed remediation strategy. There are many reasons why infosec personnel’s IT security risk recommendations may not be accepted, including:
- Business managers may be better-suited for making risk decisions than information security professionals, and are wise to accept the risk. For more on this, see Risk Decision Making: Whose Call Is It? by Jack Jones.
- Business managers may have become immune to security concerns expressed through fear, uncertainty and doubt (FUD). For more on this, see my note When Using Fear to Sell Security Can Backfire and Mike Rothman’s Categorizing FUD article.
- Business managers may be tired of making risk decisions, and find it easier to maintain the status quo instead of acting upon the security concerns. For more on this, see my posting Choice Fatigue Might Affect Information Security Decisions.
- Business managers don’t understand the IT security risk, possibly because the infosec professional presents it in a context to which they cannot relate. For more on this, see Non-Financial “Currency” for Framing Security Discussions.
- Business managers speak a different language, which information security specialists need to adopt to improve how they communicate and discuss IT security risk topics. For some advice, see Strong Communication Skills: 10 Tips for IT Professionals and SWOT Matrix for Describing Security Posture.
- Business managers aren’t presented with practical options for handling IT security risks, and finding the recommendation too costly or otherwise difficult to act upon them. For my perspective on this, see Know the Alternatives When Negotiating IT Risk Mitigation Approaches.
As information security professionals, we can do a lot better at presenting IT security risk recommendations in a more practical, business-relevant and persuasive manner. To improve, we need to first understand why our advice appears to be ignored. The list of reasons that I presented above isn’t complete, but it might be a good starting point.
For a follow-up to this post, see The Endowment Effect in Information Security.