I’ve decided to try something a little different. Near the beginning of each quarter I’m going to issue a challenge to everyone (colleagues, clients, vendors, etc.) in order to see if we can’t tackle a common obstacle to business and security. We’ll see how it goes, and I hope you’ll both participate and keep me honest throughout the designated timeframe!
For Q4 2013, here’s my challenge: I challenge you to drop the word “risk” from your vernacular in favor of using more precise language. “Risk” is often accurate in a variety of conversations and scenarios, but it’s rarely the best word possible. Instead, we should strive to be more precise in our language; especially since “risk” has become so commonplace in marketing literature the world over.
For example, when you say “risk,” you may be talking about:
- How to reduce losses, such as from fraud, incidents, or breaches.
- How to limit the impact of vulnerabilities.
- How to limit the impact of (specific) threat actors or threat communities.
- How to improve operational efficiency or effectiveness.
- How to reduce uncertainty in areas like uptime/availability, data integrity, capacity planning, etc.
- How to patch systems in a timely fashion.
- How to respond to audit or security test (such as pentest) findings.
- How to maximize or optimize data confidentiality
- How to ensure an appropriate level of trust, particularly of asserted identities.
Instead of throwing around the nebulous term “risk” in the coming quarter, I urge you to instead choose a word that is more meaningful and less likely to be misunderstood, misconstrued, or outright ignored. For example, if you’re talking about how to reduce financial losses due to fraud, talk about fraud and loss instead of “risk.” Specifically, are you trying to reduce losses, increase efficiency or effectiveness, or do something else? Can you state that in a meaningful manner that the business will understand?
What do you think? Can you go a quarter with minimal use of the term “risk”? Do you think it will help improve communication? Please report back on what you’ve found!
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.