There was a time when the IT security department had the only say in approving or denying operational requests. It made for an easier, more secure place to work -- but there was no real communication with business development and operations to determine which actions were, in fact, worth risking in the name of achieving business goals.
These days, senior management and the risk management department are increasingly in charge of the final decision as to how much risk is acceptable for a given operation, from requiring near-perfect safety to accepting absolutely open operations. IT security's task is now to analyze particular pursuit for threats and risks, list mitigations (and risk acceptance), and perhaps offer recommendations. IT security shouldn't be making the ultimate call on risks. To be honest, I like it that way. Why be responsible for more than you have to be?
[ Download Roger Grimes's "Data Loss Prevention Deep Dive" PDF expert guide today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]
The challenge has been for management to understand and accept the reality that there's almost always a chance of risk. After all, it's tough to predict unknown unknowns. I doubt, for example, that decision makers at organizations such as Sony, RSA, and the U.S. Army understood that leaving computers unpatched or allowing end-users to click anything they wanted would likely to lead to reputational compromises costing hundreds of millions of dollars.
Yet some CEOs or boards of directors either aren't prepared to hear about the potential costs of an attack or of implementing perfect security. The best organizations, by contrast, understand that reputational cyber attacks are likely to happen in the future -- thus, they don't shoot the messenger. IT security departments need to feel confident and secure in being able to deliver the potentially bad news as accurately as possible.
Figuring out the probability of a particular risk occurring requires first acknowledging that it is likely to happen. If the likeliness is truly low, then it's an easy probability to plug in to your equation: 0.0 percent. If it is likely to happen in the future but you don't have historical measurements on which to base future estimations, start with a long time range and work backward.