Lessons from the Hall Monitor

Communicating risk doesn’t require flaunting your authority

I act as a risk advisor for my employer or client. It is never my job to say no — it is my job to determine the security implications of their plans, and to present in a logical and empirical format the risks they will encounter. It is up to the owner/users/operators to determine if they want to accept, mitigate, or transfer that risk, and to what degree.

If you want a frustrating and unrewarding career in security, try being Mr. or Ms. “No.” The people you are charged with supporting will avoid you, they will try to end-run your policies, and they will label you a job-stopper. Try saying, “Sure you can do it that way. Here are the risks you will be taking on…” It is better than being beat up in the alley after work or getting a wedgie in the office bathroom.


John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail Cool_as_McCumber@cygnusb2b.com.