In your opinion, who SHOULD own the risk in your organization?

People & LeadershipSecurity & GRC

IT Director/Other Senior IT Manager16%

CISO/Other Senior Security Manager46%

Senior Manager in another part of the organization12%

CEO/other board member16%

operational risk5%

Other (comment below)2%

762 PARTICIPANTS
4.7k viewscircle icon1 Upvotecircle icon8 Comments
Sort by:
Director, Experience Design in Education2 months ago

Who owns the risk entirely depends on the nature of the risk. It doesn't make much sense for sales to own infosec risk, or for IT to own revenue risk.

Lead Consulant, Customer Success in Software4 years ago

Every StakeHolder should own risk

Lightbulb on3 circle icon1 Reply
no title4 years ago

Pproviding the person owning the risk is held accountable to address, mitigate, or accept the risk.

Lightbulb on2
Director in Manufacturing5 years ago

Owned by Application (Budget) owner.  In my experience the risk can come from older or unmaintained systems, so if the owner wont' fund for upgrades, enhancements, closing security gaps, it's on the owner and the budget to decide to keep the systems and the risk, or shut it down, or fund remediation.

Lightbulb on2
VP, Chief Security & Compliance Officer in Software5 years ago

The question is loaded as there are multiple definitions of risk.  A well structured risk governing body consists of the multiple lens.

CIO Strategic Advisor in Services (non-Government)5 years ago

No one person should 'own' risk for an organization. Risk should be transparent and shared among the appropriate stakeholders.

Lightbulb on1 circle icon1 Reply
no title5 years ago

What I have seen in risk management, is that risk owner varies depending on the organization. A risk can be assigned to a person or persons responsible for the day-to-day management of a risk. By assigning an owner, the designated risk owner ensures someone in the organization is accountable for the said risk. If there is no one person or a group charged with managing a risk, then by default, the entire organization will own the risk, and therefore, it is highly likely the risk may fall through the cracks and nothing done to address it (well run organizations assigned ownership) . Having a risk owner is an important step toward ensuring that a plan to mitigate (or accept) the risk is developed and acted upon in a timely manner to protect the organization from that risk exposure. In my career, I have seen SVP shown the door because they never took action to address risks identified in audits and the risk became realized.

Lightbulb on1

Content you might like

Our organization is in the process of re-engineering a recruitment system and would like to know gaps, risks and vulnerabilities in development of languages and databases: the following were identified 1. PHP 8.x-Microsoft SQL through ODBC 2. ASP.NET-Microsoft SQL 3. Java-Microsoft SQL

Apart from applying the patches just released, what other mitigation tactics are you using to address the zero-day SharePoint vulnerabilities impacting on-premises servers?

I'd like to discuss the privacy and data security implications of compromised accounts where a CoPilot (such as Microsoft's) is profiled on an account. It's clear that this poses a significant security risk, as a CoPilot with access to all our Graph services presents a unique attack vector. Those interested in learning more about what can be accessed and seen should feel free to ask. In cases where an account has been hacked, a thorough data-mining activity is often necessary to assess the extent of the breach. Have you thought about?

I don't have any concern about.20%

I feel there is a gap... but I haven't thought about before71%

I already have something on track to fix it7%

Other1%

View Results

What does Infrastructure and Operations (I&O) currently struggle with the most at your organization?

Understanding customer requirements17%

Communication with other stakeholders63%

Visibility of workflow10%

Agile development practices7%

View Results

Does anyone have recommendations for risk management background services for a large technology consulting company? The employee count is over 20K.