Why Business Managers Ignore IT Security Risk Recommendations

Information security professionals get frustrated when their concerns are seemingly dismissed by business managers who accept the risk instead of approving the proposed remediation strategy. There are many reasons why infosec personnel’s IT security risk recommendations may not be accepted, including:

  • Business managers may be better-suited for making risk decisions than information security professionals, and are wise to accept the risk. For more on this, see Risk Decision Making: Whose Call Is It? by Jack Jones.

As information security professionals, we can do a lot better at presenting IT security risk recommendations in a more practical, business-relevant and persuasive manner. To improve, we need to first understand why our advice appears to be ignored. The list of reasons that I presented above isn’t complete, but it might be a good starting point.

For a follow-up to this post, see The Endowment Effect in Information Security.

Updated

About the Author

Lenny Zeltser develops teams, products, and programs that use information security to achieve business results. Over the past two decades, Lenny has been leading efforts to establish resilient security practices and solve hard security problems. As a respected author and speaker, he has been advancing cybersecurity tradecraft and contributing to the community. His insights build upon 20 years of real-world experiences, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more