Two concepts about risk many companies get wrong

Ben Rothke
3 min readJan 17, 2024

Information risk management

Information risk management is a highly complex topic encompassing countless fields. At its core, it is about identifying, evaluating, and prioritizing data risks.

Even though information risk management has been around for decades, there are still concepts that many people get wrong. I want to highlight two of these briefly.

You can’t eliminate risk

The field in which many of us work is called risk management. It is all about managing risks. If risks could be eliminated, there would not be much to manage.

I recently got an email from a vendor (it doesn’t matter their name) about their services. This led me to their website where they proclaimed Eliminate Security Risks.

This is egregious as you can’t eliminate risk.

Every book on risk makes it eminently clear that a company’s risk can be addressed in various ways. There are countless lists of these, some listing three methods, others listing more. But the most common and accepted approach around risk management is to deal with them…



Ben Rothke

I work in information security at Tapad. Write book reviews for the RSA blog, & a Founding member of the Cloud Security Alliance and Cybersecurity Canon.