The list of top ten IT security risks is a bad idea.

Why?

The reason is that you are the only business leader in your organization doing this. Do you think that the sales leader in your company expresses her plans with certainty and deterministic figures?

I don’t think so.

She has no certainty at all. The only certainty in sales is that there is no certainty. Period.

She has ranges that she communicates based on certainty. For example, selling a maintenance renewal contract on an existing customer has more certainty than a ‘net new’ customer sale so this would be presented as a percentage of revenue with higher probability.

3 great ways to present the risks are:

• The best way to present impact of security events is with ranges.
• The second best way is to present based on probability.
• The third is to combine both of these together

A good way to start presenting data in a way that is more useful to the business than just showing your top ten lists and how you plan to combat it is to gather data.

These are a few great resources on this subject for you to check out:

• The article by Jack Jones about presenting data to a board.
• A very good book on this subject is called “How to Measure Anything” by Douglas Hubbard.

Alternatively, you can apply a FAIR framework which gives you the ability to apply Socratic thinking to your problem.

Find the links to Jack Jones’ work on developing a FAIR model here.

I had a conversation with Jack on this topic where he shared the opinion that some IT professionals favor combat when it comes to protecting their organization. They go toe-to-toe with the auditor instead of throwing their forces to educate people on how to prevent risk.

I found this conversation particularly interesting as I had been listening to CIOs and CISOs telling me that the auditor had just instructed them to buy expensive data at rest encryption software – a point solution to solve all their security woes.

I believe that you need tools that reduce the ceiling of complexity for yourself so that you can ‘take on’ and defend reasons Not to do things.

 Any IT Leader can assess a potential risk and throwing more money at shiny new toys just increases the complexity of your security posture. It is only when you examine the probability of a security risk and include planning, can you truly begin to form a true assessment and action plan.

Listen to my podcast featuring each week interviews with Master Mind CIOs, experts in IT leadership, IT security, business innovation, entrepreneurship, and a mix of fearless innovation, ideas and inspiration.

Reduce the Ceiling of IT Security Complexity with the CIO Security Scoreboard. Learn more here