For quite a while now, I’ve been claiming that in order for InfoSec to do it’s job properly, it needs to understand the business.
— Whose Line Is It Anyway? Arthur, Emergent Chaos, 10 July 2007
Let’s go a bit farther:
Yesterday, Jack Jones again showed that he’s in the same camp when he asked us: "Risk Decision Making: Whose call is it?" There he shares his thoughts how to decide whether or not the Information Security team should be making information risk decisions for a company or if that should come from upper management.
I would claim that this shouldn’t be an either/or question: it’s a both/and.
If a company has no high level executive who understands risk at at least the “don’t bet the come” level, it’s probably not going to be in business very long. Yet you can’t expect CEO, CFO, CIO, etc. to know a lot about technical details of IT security or even financial risk analysis. Well, maybe you can expect a CFO to know that latter. And somebody at the top, possibly the CFO, needs to be closely communicating with somebody in the company who does know the details of IT security about information risk decisions. I suppose that’s why companies have high level strategists and lower level specialists, eh?
Do read Jack Jones’ posting; it’s got nice charts with boxes and lines that spell out the question with enough specifics that detail-oriented IT security people and CFOs should get it.