Dave Tyson

One of the most common concerns I find when asking security managers about their legacy physical security systems is that, generally, they are not very sure of the level of assurance that exists in their systems, and if they are truly safe from vulnerability or attack. They often dont actually understand their systems ability to withstand attacks from the data network nor do they comprehend what risks they introduce onto the network.

A question recently came up that left me wondering about organizational authority to accept risk or, more specifically, enterprise security risks. One of the less defined aspects of this important area I find in organizations is who in the organization has the ability to accept risk, and to what level. Very few organizations have defined threshold levels that classify the risks that individuals can and cannot accept on behalf of the organization. This can become important when you consider the decisions that staff, managers, directors and senior management make on a daily basis when there are no defined boundaries for risk acceptance.