Now isn’t that so much better? Now if there is a major data breach, no one individual is to blame. However, the company goes down in flames.
The problem, which we are seeing and which is not unique to security, is that organizations became enamored with risk governance at the expense of risk management. Before you accuse me of stating the obvious, please let me explain what I mean.
Whereas “governance” means “management and control,” it is commonly interpreted as the process, rather than the substance – it’s form over content. Committees are established, policy and procedures documented, and training implemented. However, the risk models and assessment methods are flawed at best, and utterly misleading at worst. The models tend to be simplistic and planning assumptions are inadequate. And worst of all, the concept of “risk appetite,” which is frequently mentioned, is at best misleading, and in the worst case completely inadequate.