Should every business person respond to the IT Security Risks
Running a company that depends of IT is having a lot of issue again security risk. There is a lot of theory how to manage the risk such as Risk Management or Risk Analysis. However the first step against the risk is how to respond and how to react the first impression.
First, we expect the risk owner to respond because she is the protagonist of the play. She has a strong motivation to respond because her objectives are threatened by risks. If she does not see a real threat from risks or tangible benefits from resolving the risks, she stops there. For a person who has taken pains to analyze risks and invest personal time in understanding them, taking extra effort to act on them should not be difficult. The moment of inaction after the analysis is not easily justified. We need to look at this problem in greater depth.
Response to risk has two stages. In the first stage, a solution is found. In the second stage, the solution is implemented with a proper plan. Finding a solution is yet another intellectual exercise, in line with identification and analysis. Indecisiveness comes into the picture in the second stage. When the moment for action comes, the protagonist stalls. Action involves change, needs commitment, and calls for the spirit to overcome barriers. Analysis is a desktop exercise, whereas action is field work.
In the early phases of risk culture, people are afraid that risk response plans are extra work for which they may not be rewarded. They may view risks as distractions. Some may decide to “watch” risks and delay Applied Software Risk Management action, hoping that the pressure to respond would ease with time; perhaps they also hope that the project will reach closure soon and the risks would be transferred to posterity.
If reluctance is overcome, the first response serves as a small beginning. Risk awareness results in subtle adjustments to the ways people plan to execute work. The goals are reexamined. The Work Breakdown structure is revisited and the tasks affected by risks are reexamined. Risk-generating dependencies and the features list are studied, and those features infected with critical risks are reviewed.
So do you have any others opinion about how we should respond to the IT security risk.