Why don’t companies apply more risk analysis?


So, here we are, all trained up in Risk Analysis, knowing about the risks of hiring and firing, disgruntled employees, various litigations, and more. We’re often considered pests for asking the “Why Are We Doing This” questions about new technology and initiatives that bring security risks.

But how often are we consulted on the risks of hiring and firing STRATEGIES, never mind the tactical things like vetting and cancelling accounts. Additional questions that need to be asked include:

  • What are the costs of cutting people?
  • What do we think the benefits are?
  • How long out will it go? And once we do it, what is our plan once business picks up?
  • How long will that take?
  • Will we be able to get people like this back?
  • What are the effects on the people inside?

Now *THOSE* are quite legitimate questions for a business analyst to ask, so why aren’t they legitimate questions for a project manager to ask, for a security manager to ask?

Reblog this post [with Zemanta]

About the author

Security Evangelist

Leave a Reply