8. Understand how risk is understood around the world. In the U.S., some think of risk only as a component of insurance. In Europe, however, risk is more equivalent to life safety.
9. To create an organizational culture that understands risks, you have to have them want to come to you. Sometimes you have to be the adviser, not the prescriber. "I could create reports on our company's risk all day long and those reports would be great, but no one would read them. I have to target the other managers and develop our program in such a way that they will come to me and ask about our risks", said one senior level security director.
10. Risk and security are changing where they report. More and more businesses are seeing a trend where risk and security report to the legal department.