It can be quite instructive to turn the usual approach to risk management on its head. Instead of information security professionals identifying and elaborating at length on the information risks that are clearly unacceptable and patently need to be mitigated (in our usual risk-averse way), why not address the question “What information risks can we afford to take?” or, more controversially still, “What information risks might we actively exploit?”
Viewing situations from different perspectives can open up new ways of thinking about them. In the context of information risks, that may involve considering and perhaps consciously deciding not to mitigate them as we normally do. As an added bonus, such a change of approach might result in the information security function being perceived as a business-enabling cost-reducting creative-thinking group, as opposed to the usual “No department” – as in “The answer is NO! Now what’s the question?”.
Here's a topical illustration. I suspect the overwhelming majority of information security, privacy and compliance professionals currently grappling with GDPR (the EU's General Data Protection Regulation) are, in the conventional manner, driving their organizations hard to become fully 100% compliant by the deadline, sooner if possible: compliance is our default, knee-jerk position, to the extent that few of us would seriously have considered other options. Many of us would dismiss the alternatives out of hand, aghast that anyone could even seriously suggest them ... and yet, from a pure business or indeed risk management perspective, things are not nearly as clear cut.
Arguably, the organization may need to be sufficiently compliant with GDPR at or near the deadline to avoid (a) being caught out, and (b) suffering catastrophic breaches and excessive costs ... but that’s not quite the objective that I suspect most infosec pro's, CISOs etc. have in mind. Strategic options such as 'not being caught out' and 'minimizing penalties through negotiation' ought to be considered too even if, at the end of the day, compliance ends up being the chosen approach.
My point is that those other options won't even occur to most of us.
Compliance with GDPR (or whatever) is just another a business risk that can be treated by acceptance, share/transfer, avoidance or mitigation by reducing the probability and/or the impact. Those risk treatment options involve various business costs and opporunities, all of which are worth due consideration.
Blinkers off, please. Let's broaden our perspective.