This is a popular term with IT security leaders. The idea is to convey the level of risk that an organization is willing to accept, while pursuing its objectives, and before any actions are thought to be necessary to reduce the risk. That’s the level of risk appetite. This risk appetite varies based on the industry, company culture, what the competitors are doing, the objectives of the business, and of course the financial strength to invest in security.
Then, how is this term misunderstood well by non-IT people? There are two common misconceptions when you throw the word risk appetite around. One is that it is, in fact, the risk appetite. Sort of how you know that chocolate appetite is the craving for chocolate, and of course, we can all agree that there’s no such thing as too much chocolate, right? But, when it’s used by IT security leaders, the meaning of risk appetite is the exact opposite. It’s not the risk appetite but it’s the residual risk that’s left over when the money runs out. Another common misconception is that business people are conditioned to think the greater the risk, the greater the reward. So, when you say risk appetite, well if you have a large appetite, that must mean that the potential reward is much larger. But again, it’s the complete opposite meaning when used by the IT security team. The greater the risk, the greater the cost of failure, and the greater the hurt that the organization will feel. No upside to this.
What’s the result when the IT leaders remain mired in their world of technology and techno-speak, and won’t understand how to speak the language of business? Well, the problem is that effectiveness is decreased. This causes a disconnect between the IT folks and the business leaders, and there’s frustration on both sides due to poor communication. What can you do? First, explain clearly and often when you use ambiguous terms like “risk appetite”, exactly what they mean to all the folks in the room, especially the non-technical business leaders. Also, you could consider a different word, like “failure tolerance” instead of “risk appetite”. Failure tolerance indicates that this is how often the company experiences security failures and still allows it to function. And then how big these failures can be, and whether they can still be tolerable to the business and its objectives. Of course, as failures increase the business will struggle to meet its goals. But as an IT security leader, your mission is to negotiate with the upper management a suitable level of security investment. This means that you must present the levels of failure and ask for choices, and the resulting instability and the tolerance for it. So, risk appetite is important. It’s something that you should know and It’s something that you should negotiate with business leaders to define it for your business.
Do you want to know more about risk appetite? Contact us today or email us at demo@cyb3r-x.com for a demo.