In a discussion thread on the ISO27k Forum about engaging corporate Risk Management functions with the information security work, Nigel Landman mentioned that ‘Everything becomes a business risk’ ... which set me thinking.
Managing risks to the organization is a significant element of business management – in fact it is possible to express virtually everything about management in terms of managing risks and opportunities (upside risks). It's a very broadly-applicable and fundamental concept.
Given the importance and value of ‘information’ in any business, it’s hard to imagine any full-scope Risk Management function failing to be concerned about information risk and security, unless for some reason they are limited to specific categories or types of risk (e.g. financial, strategic, compliance, competitive etc.) and for some reason haven’t (yet!) made the connection with information risks in those areas … in which case exploring, explaining and elaborating on the information risk and security aspects in conjunction with the Risk Management function would seem to be a worthwhile activity early-on in the ISO27k implementation.
The same goes for various other corporate functions that are currently disengaged, unaware or reluctant to get involved in information risk and security. The usual excuse is that “it's an IT thing”, a myth perpetuated by crudely labeling it “IT risk”, “IT security” or “cybersecurity”. Of course there are risks to or involving IT but that’s just the tip of the iceberg of information risks, business risks, and risk in general. It's fine to focus-in but makes little sense to attempt to manage individual categories or types of risk (including information risk, by the way) in isolation from the rest. You could even say that failing to manage information risks within the broader business context is itself a business risk - or an opportunity for improvement!
At a deeper psychological level, lack of understanding and fear of the unknown may well be factors behind the reluctance of some business people to engage with the ISO27k implementation, the Information Security Management System and information risk management. Some of the issues we are dealing with are complex and scary even for us, let alone those without a background and professional interest in the field. Couple that with our profession's almost obsessive focus on harmful, downside risks and it's easy to see why business managers might be reluctant to engage. We're making it easy for them to drop it in the "bad news" bin, leaving it to someone else. Hopefully. Fingers crossed.
I recommend making security awareness an integral part of the ISO27k implementation project as well as the ISMS. Specifically, I'm suggesting explaining information risk and security patiently to managers and other business people using business language and concepts. I gave an example here yesterday in the piece about preparing an elevator pitch on cloud security: rather than blabbering on about virtual systems and network security, we're emphasizing the business implications of cloud-related risks and opportunities. "Cloud services can be cost-effective and reliable, provided the associated risks are treated appropriately." may be just a single sentence but it's one-tenth of the elevator pitch, a key point worth emphasizing.