Risk Management vs Security Management Which is the better sell?

Dr. Michael Kelley believes that his DOD project management and security management experiences of over 15 years has provided him with a unique advantage to span the gap between the board room language of “Risk Management” and the more technical functions of “Security Management.” Dr. Kelley is convinced that many security professionals would be more effective by adapting a “Risk Management” posture.

(PRWEB) February 20, 2006 -- Dr. Michael Kelley believes that his DOD project management and security management experiences of over 15 years has provided him with a unique advantage to span the gap between the board room language of “Risk Management” and the more technical functions of “Security Management.” Dr. Kelley is convinced that many security professionals would be more effective by adapting a “Risk Management” posture.

As both a PMP and CISSP, it has become increasingly alarming to me to see how little many security professionals know about security project management. We have seen an increase of awareness among PMP certified professionals in the area of security, but a growing gap on the part of CISSP certified professionals in the area of project management. This trend appears to be growing as advancements in security technologies continue to push the envelope.

I believe that much of this can be contributed to a “generational gap” among our up-and-coming security professionals. Along with this explosive security industry growth we see a “pushing back” from other industries unaccustomed to the harness of strict regulatory mandates. As these industries grapple with making room for the ISO/CSO functionary roles, they also realize that the competition for project funding has intensified.

The reactionary response to all of this has repeatedly driven a wedge between IT and Business, driving home a misinterpretation of security practitioners roles and responsibilities as strictly a Security Management function. The traditional response is to box Security Management into the less invasive “information-threats-only” category of functionary responsibility.

On the other hand, early adapters have enjoyed the advantages of a broad vision of the ISO/CSO functionary role. They see Security Management as a vital business function, having exercised the same concepts and strategies under the leadership and protection of “Risk Management.”

Public sector agencies and savvy private sector corporations have long since incorporated Risk Management as a fundamental “business” principle, providing a thriving and vital corporate linkage of support for the Security Management functionary.

The obvious advantage being the ability to directly engage all levels of mission critical business functions, from corporate stakeholders to departmental managers and valued organizational knowledge experts. Their vision of the Security Manager is one of reducing and managing corporate risk rather than a company hired information security-threats-only police force.

I believe that many security professionals will soon realize that just as a PMP incorporates risk management through such matrices as scope control, requirements definition, success criteria, vision statement and other formal processes, so also must a CISSP learn to incorporate risk management into the “business practice” through a security project management methodology.

It is my conviction that many ISO/CSO’s would be far more effective in promoting their security program objectives if they would simply learn to speak the broader business language of “Risk Management” instead of the more narrow language of a Security Management functionary.

Dr. Michael Kelley (www.dr-michael-kelley.com) is an adjunct professor for Sacramento State College of Continuing Education (www.cce.csus.edu) and a scientific advisor for TKG (www.t-k-g.com).

###