The ISO 31000 Standard: a different perspective on Risk and Risk Management
The biggest challenge for security managers is to demonstrate the value added by security. It is not an easy task for risk management to argue the return on security investment (ROSI), but it is certainly not a mission impossible. In many organizations with a lower maturity in security risk management the link between investment in security and the value added is not sufficiently explained and justified. Costs for security are therefore regarded as a necessary evil, mainly to meet legal obligations. In more mature organizations the link between security
and the value added are well understood, therefore investments in security are related to the protection of value already created within the organization. But can security management also effectively create new value?