6 Reasons Why Business Managers Ignore IT Security Risk Recommendations

Information security professionals get frustrated when their concerns are seemingly dismissed by business managers who accept the risk instead of approving the proposed remediation strategy. There are many reasons why infosec personnel’s IT security risk recommendations may not be accepted, including:

  • Business managers may be better-suited for making risk decisions than information security professionals, and are wise to accept the risk. For more on this, see Risk Decision Making: Whose Call Is It? by Jack Jones.

As information security professionals, we can do a lot better at presenting IT security risk recommendations in a more practical, business-relevant and persuasive manner. To improve, we need to first understand why our advice appears to be ignored. The list of reasons that I presented above isn’t complete, but it might be a good starting point.

For a follow-up to this post, see The Endowment Effect in Information Security.

Lenny Zeltser

Updated

About the Author

Lenny is a business and tech leader with extensive experience in information technology and security. His areas of expertise include incident response, cloud services and product management. Lenny focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches digital forensics and anti-malware courses at SANS Institute. Lenny frequently speaks at conferences, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more