top | item 38635841

(no title)

>We're paid to find risk and reduce risk.

There's a dedicated department that already does that in most organizations -- risk management.

One could argue that 'cybersecurity' ought to be a component of 'risk management' versus being on its own which only adds to bloated organization structure and increases bureaucratic complexity.

discuss

genmud|2 years ago

In some orgs, that is the case. In other orgs, risk management might be a functionally absent, with legal teams being reviewers of contracts and abdicating that role to outside counsel.

surge|2 years ago

Yeah, and my team and larger cyber org was under risk management, until some new exec decided to shift us under the technology org (a decision I do not agree with due to conflict of interest).

kstrauser|2 years ago

At my last shop, we were under Risk, IT, Security, and Compliance, aka RISC.