Everyone in the enterprise has a very different grasp on IT risk, and different ways to express it. Putting financial metrics on IT risk gives everyone a common language.
Large organisation IT risk can be a lot like the parable of the three blind men talking about tree trunks, ropes, and pillars while touching an elephant. Everyone’s actually working on the same big picture, but their view of the subject at hand can be completely different.
The board wants to drive shareholder profits and mitigate risk. It doesn’t want to get involved in operations – that’s management’s job, and managers are usually far from being IT experts.
Management doesn’t really understand IT, either; it just knows it has to work. Every dollar spent on the IT department’s “the sky will fall unless we buy this new toy” missives can’t be spent on further growth to report to the board. And many projects have no direct ROI. As Yuval Illuz, deputy CIO of ECI Telecom, Israel, put it: “Getting management to pay attention to information security can be difficult, because we’re trying to prevent something that hasn’t happened yet.”
Click here to read the rest of this story.