Q. How can I maintain management’s attention to the risk that hasn’t happened yet without becoming the "Chicken Little" of the corporate governance team?
Typically, most successful Chief Security Officers are also good communicators, and this is a classic opportunity to educate management on a variety of perspectives.
First, as security manager you know the kinds of conditions that contribute to risk and loss and the trends in your industry or area. If you are probing and identifying exploitable vulnerabilities around critical assets and processes, you have a great script to bring to that discussion with management. Your findings will either support the effectiveness of existing internal controls or identify gaps and defects that your probes will have caused to be eliminated. In both cases, you can talk about deterrence and measurable risk avoidance.
Secondly, we have a unique lens to view trends and conditions that foretell risk: leading indicators. And just as the Chief Financial Officer will use their dashboard to guide the business, we also can provide a variety of alerts to steer strategy and alter risky behavior.
The message need not be about the sky falling, but rather should be about the fact that you are aware of what security measures work really well to detect and prevent risk events and that you know what preventive measures need to be implemented. Maintaining these risk mitigation strategies at a high degree of collective competence will consistently demonstrate that you are avoiding many of the risks other companies are experiencing, and what is happening elsewhere is not necessarily happening here.
For more information read: Leading IndicatorsTracking Leading and Lagging IndicatorsCreate a Security Awareness Dashboard
Answer provided by George Campbell, Security Executive Council Emeritus Faculty.