Why Business Managers Ignore IT Security Risk Recommendations

Information security professionals get frustrated when their concerns are seemingly dismissed by business managers who accept the risk instead of approving the proposed remediation strategy. There are many reasons why infosec personnel’s IT security risk recommendations may not be accepted, including:

  • Business managers may be better-suited for making risk decisions than information security professionals, and are wise to accept the risk. For more on this, see Risk Decision Making: Whose Call Is It? by Jack Jones.

As information security professionals, we can do a lot better at presenting IT security risk recommendations in a more practical, business-relevant and persuasive manner. To improve, we need to first understand why our advice appears to be ignored. The list of reasons that I presented above isn’t complete, but it might be a good starting point.

For a follow-up to this post, see The Endowment Effect in Information Security.

Updated

About the Author

I design practical security solutions and shepherd them to a sustainable state. I used to be hands-on in many areas of cybersecurity and IT. Now I focus on strategy and leadership, treating security as an enabler that helps people and companies achieve their goals. As the CISO of Axonius, I lead the security program to earn customers' trust and fuel the company's growth. Earlier, I built security products and services. I'm also a Faculty Fellow at SANS Institute, where I help professionals develop malware analysis skills.

Learn more