My latest column for @ISACA was published today. In it I talk about the benefits of using verbal risk labels (things like high, medium, and low) and give some examples where this is helpful in the treatment of Type 1 Diabetes. This is an important concept for those like myself that are dedicated to quantitativeContinue reading “In Defense of Verbal Risk Labels”
Sometimes, the organization you work for will need to make budget cuts. And sometimes that means cuts to the security budget. How that should be handled is the subject of my latest @ISACA column.
My latest @ISACA article posted today. I was really pleased with this one as it uses an easily understandable metaphor to call out the often experienced desire of people to live life without risk (as evidenced by statements such as “We don’t accept any risk…”). Take a look and let me know what you think.Continue reading “The Dose Makes the Poison”
Risk management is all about making forward-looking statements about things that may or may not come to pass. This is also known as forecasting. Read more about this in my latest @ISACA column.
In this month’s @ISACA column, I tackle politics and the orientation that risk professionals should have when working in political environments. The ethical obligations of risk professionals are not as well known as they are for other professions, but they are no less important. We have an ethical obligation to tell inconvient truths about riskContinue reading “Risk and Politics”
In my latest @ISACA column, I tackle the problem of project triage. Its a pernicious problem that many security departments have to manage: we have to check everything currently in place, yet new stuff is being added all the time. I address this problem from a risk perspective: we need to allocate our scarce securityContinue reading “Security Project Triage is all about Resource Allocation”
In this edition of the @ISACA newsletter, I tackle the common problem of shared risk ownership. The behavioral economics of this scenario makes it a challenging one to solve. I’m interested in hearing any solutions you may have found to be useful.
The April @ISACA newsletter was published last week with my piece called “Risk Palimpsest.” I ran across this unusual word in some non-risk reading I was doing and I was instantly struck with what a great metaphor it was. You can read it here (and also learn what a palimpsest is).
Just a quick note about this month’s column (available here). I’m getting the sense from the risk and control professionals I’ve spoken with recently that there is a greater realization of the separation of duties incumbent upon risk functions. In this piece, I briefly discuss how to use reporting to make this clear, and driveContinue reading “Effective Approaches to “Bringing the Pain” With Risk Management”
My latest column was published today with the above title and I wanted to call out two things with this one. First, since risk drives the selection of priorities, it only follows that its stressful work. Decision making is mentally taxing, so the professionals whose job it is to facilitate that will shoulder that burdenContinue reading “Risk Work is Stressful”