Two concepts about risk many companies get wrong
Information risk management
Information risk management is a highly complex topic encompassing countless fields. At its core, it is about identifying, evaluating, and prioritizing data risks.
Even though information risk management has been around for decades, there are still concepts that many people get wrong. I want to highlight two of these briefly.
You can’t eliminate risk
The field in which many of us work is called risk management. It is all about managing risks. If risks could be eliminated, there would not be much to manage.
I recently got an email from a vendor (it doesn’t matter their name) about their services. This led me to their website where they proclaimed Eliminate Security Risks.
This is egregious as you can’t eliminate risk.
Every book on risk makes it eminently clear that a company’s risk can be addressed in various ways. There are countless lists of these, some listing three methods, others listing more. But the most common and accepted approach around risk management is to deal with them…