Comments on: Why Information Security Professionals Should Learn Texas Hold ‘em Poker http://www.bloginfosec.com/2008/06/11/why-information-security-professionals-should-learn-texas-hold-em-poker/ An Information Security Magazine in a Blog Format Mon, 30 Jan 2012 11:01:25 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Navin http://www.bloginfosec.com/2008/06/11/why-information-security-professionals-should-learn-texas-hold-em-poker/comment-page-1/#comment-10576 Navin Fri, 18 Jul 2008 06:19:36 +0000 http://www.bloginfosec.com/?p=448#comment-10576 Agree with you Gary. I think that the business would actually like us to be calculated risk takers. Business leaders are all about taking calculated risks so that they can effectively execute on business strategy. Since we are best placed to make decisions regarding acceptable risk relating to information security, if our risk appetite is significantly different to that of the business, then we will either pull them back or pitch them forward. We've got to calibrate infosec risk against business operational risk, financial risk, etc. and make decisions regarding information security in the same vein. Agree with you Gary. I think that the business would actually like us to be calculated risk takers. Business leaders are all about taking calculated risks so that they can effectively execute on business strategy. Since we are best placed to make decisions regarding acceptable risk relating to information security, if our risk appetite is significantly different to that of the business, then we will either pull them back or pitch them forward. We’ve got to calibrate infosec risk against business operational risk, financial risk, etc. and make decisions regarding information security in the same vein.

]]> By: Gary http://www.bloginfosec.com/2008/06/11/why-information-security-professionals-should-learn-texas-hold-em-poker/comment-page-1/#comment-7860 Gary Tue, 17 Jun 2008 08:42:49 +0000 http://www.bloginfosec.com/?p=448#comment-7860 Speak for yourself, Kenneth. Not all infosec pros are "risk adverse" as you say (I believe you mean 'risk averse', by the way). Risk aware, maybe, cautious by nature but not risk averse. To get things done in The Real World, most of us realized early in our careers that outright principled risk aversion sets us against the rest f the organization. It's the root cause of naive ISM functions commonly being known as The No Department. I'm not saying we should be The Yes Department either. Mostly I'd settle for a "Yes If ..." or "No Unless ...", so long as it leads to incremental improvement and a greater level of knowledge, understanding and most of all accountability for our business management colleagues who are paid to make the difficult decisions. And there ARE situations in which it is totally appropriate to say No! NO! NO NO NO! The trick is to pick your battles, and beware the scars. G. Speak for yourself, Kenneth. Not all infosec pros are “risk adverse” as you say (I believe you mean ‘risk averse’, by the way). Risk aware, maybe, cautious by nature but not risk averse. To get things done in The Real World, most of us realized early in our careers that outright principled risk aversion sets us against the rest f the organization. It’s the root cause of naive ISM functions commonly being known as The No Department.

I’m not saying we should be The Yes Department either. Mostly I’d settle for a “Yes If …” or “No Unless …”, so long as it leads to incremental improvement and a greater level of knowledge, understanding and most of all accountability for our business management colleagues who are paid to make the difficult decisions. And there ARE situations in which it is totally appropriate to say No! NO! NO NO NO! The trick is to pick your battles, and beware the scars.

G.

]]>