, 11 tweets, 2 min read
Risk management is not only about reducing risk. A thread.

It seems most risk and security programs, and instruction on how to run risk and security programs, focus exclusively on assessing risk, to then implement controls or take other actions to reduce that risk.

1/11
Once the risk is at an acceptable level the focus is to keep it like that - but essentially do nothing more - except for a periodic or trigger based revisiting of the assessment. However, a big part of the more successful risk & security programs is to never stop there.

2/11
In fact, achieving the right risk level is merely the very beginning of a more worthwhile journey that improves the way that risks are mitigated. In other words, keep risk flat but improve the efficiency of the controls that mitigate the risk - across multiple dimensions:

3/11
1. Customer experience. Deliver the same risk level but improve the usability of controls - including reducing friction for the customer to sign-up for services or new features. This typically applies in relation to authentication, authorization and fraud prevention.

4/11
2. Cost. Reduce the cost to sustain or upgrade controls and to direct those savings to other improvements - or to other risks where there is still a need to more actively implement new controls to reduce risk.

5/11
3. Efficiency. Optimize the arrangement of controls, or indeed reduce the number of controls implemented for each specific risk, being careful not to impact defense in depth.

6/11
4. Ease of continuous monitoring. Replace controls that are not amenable to continuous performance monitoring, or that don’t emit the right metrics, with ones that do.

7/11
5. Automation. Replace any manual activities progressively with automation to reduce the administrative or other maintenance load.

8/11
6. Adjacent benefits. Develop adjacent benefits for existing controls such as having security logging capture and synthesize more data to assist with performance monitoring, or enhance distributed recovery to not only improve resilience but to increase change windows.

9/11
7. Reduced negative externalities. Enhance controls to reduce impact on other risks, such as improving any trade-offs made between security, resilience and/or performance.

10/11
Bottom line : A true mark of a commercially-oriented security program is to be perpetually optimizing control performance even after risk has been reduced to the right levels.

11/11
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Phil Venables

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!