Problem
Security Management Practice
Risk Decision Scenario:
You are the Chief Information Security Officer (CISO) and report to the Chief Operating Officer (COO), the Business Leader. You have recently updated a risk assessment on one of the COO's business-critical applications. Your risk assessment indicates that the risk associated with this business-critical application could be material to the organization. Material used in this context is defined as:
"A concept that defines why and how certain issues are important for a company or a business sector. A material issue can have a major impact on the financial, economic, reputational, and legal aspects of a company, as well as on the system of internal and external stakeholders of that company."
You discuss this risk with the COO's line of business leader who manages the application, getting additional context regarding the application in question and what options may be available to reduce the risk associated with this business-critical application. You agree that the COO should be aware of this potential material risk and get on the COO's calendar. You both present the results of the risk assessment and options available for reducing the potential risk to the COO. The COO asks several questions, which are answered to their satisfaction. The COO decides to accept the risk that is within their authority as established by organizational policy.
Risk Decision Scenario Question:
What do you do (e.g., accept their decision, ask for clarification on their decision, go over their head to the Chief Executive Officer), and why and how did you arrive at this course of action? You must provide supporting rational for your decision.