The InfoSec Blog

More on how to win friends and influence management

Posted by Anton Aylward

Take a look at

Forget ROI and Risk. Consider Competitive Advantage
by Richard Bejtlich

I note the line that so many of us in the InfoSec business have encountered and complained about ...

As we've seen during the last few years, "risk" has turned out to be a dead end too. The numbers mean nothing. Even if you could somehow measure risk, it's easy enough for managers to accept a higher level of risk than the security manager.


But so many 'authorities' - ISO-2700x, ISACA's COBIT, ValIT and RiskIT as well as its Professional Practices - all focus on Risk Analysis.

We've recently seen mention of NIST 800-30.
There on page 9 a nine-step (why not 12-step?) program for what they call "Risk Assessment". Actually it isn't; it involves controls and results. I makes it look sooooo simple! But as many practitioners have pointed out, in many ways, its not like that in reality. Many of us question if its doable.