CONVERSATION GUIDE

Guiding Control Selection

OVERVIEW

The Control Selection Process

Explain Risks

Security explains the business

risks surfaced during risk
assessment to the project owner.

Make
Recommendations

Reach Agreement

Security makes a series of control For each control

recommendations to mitigate
these surfaced risks.

recommendation, the project

owner either accepts it, works
with Security to develop a suitable
alternative, requests an
exception, or elects to formally
accept the unmitigated risk.

Key Takeaways
When conducting control selection, consider the following:

1. Identify and involve the relevant stakeholders during control selection. While the project owner is the key
business representative during control selection, other key stakeholders often need to be involved in the decision
process.

2. Cater communications to each stakeholder to drive better risk management outcomes. Security should
account for each stakeholder's bias during the control selection process.

3. Understand how security considerations can affect business goals. Business partners view controls in terms
of both risk management and business outcomes, so Security needs to account for the impact control
recommendations can make on the business.

4. Select controls that weigh benefits versus risks. Identify controls that balance Securitys risk management
standards, the business risk tolerance, the projects unique goals, and the project owners willingness to accept
risk.

5. Limit the need to escalate by creating options to support business partner decisions. Present controls in
terms of risk/reward trade-offs to negotiate an optimal decision with risk owners.

6. Balance information accessibility needs with potential risk of information loss. Security can support
employee productivity goals by balancing controls that manage risk with efforts to make information more
accessible.

CONTROL SELECTION INVOLVES MANY

STAKEHOLDERS
Understand Your Stakeholder Ecosystem

The project owner is the key individual that Security serves during the risk assessment process.
However, when consulting on control selection, Information Security staff often need to engage with endusers, IT stakeholders, other risk management functions, and even external partners. Therefore, it is
critical that Security formally identifies and appropriately involves the right stakeholders in each control
selection conversation and decision.
Illustrative Depiction of Potential Stakeholders Involved in Control Selection

Project
Owner

IT
Stakeholders

Business
Partners

General Manager

Director of Finance

Operations Manager

Potential
Stakeholders in
Control Selection

Service Manager

Solution Architect

Tower Lead

Risk
Management
Functions

End-Users

Power Users

Communities of Practice

Remote Workers

Source: CEB analysis.

External
Partners

Suppliers

Contractors

General Counsel

Audit

Compliance

Additional Research on Interfacing with other Risk Management Functions

Streamlined Cross-Functional Risk

Decision Making

Initiative-Based Talent Sharing

CATER COMMUNICATIONS TO ADDRESS EACH

STAKEHOLDERS BIAS
Engagement Drives Risk Management Success
The most common stakeholders during control selection project owners, line-level employees, and IT typically
each have their own distinctive characteristics and view of Information Security which presents unique engagement
challenges. Cater communications and conversations to counter these biases and position Security as an enabler
rather than a road-block.

Key Stakeholders and Common Biases

Project Owner
Key Characteristics

Making more
decisions about
technology
Growing
understanding of
impact of
information use

View of Information
Security

Security can slow

down or inhibit goal
achievement

Challenge
Stakeholders often
perceive Information
Security assessments
and controls as limiting,
making them less willing
to engage with security.

Line-Level Employees
Key Characteristics

Increasingly able to
find ways to use
cool noncorporate tools and
technologies from the
consumer world
Higher
expectations for ease
of use

Source: CEB analysis.

View of Information
Security

Finding more
secure alternatives
requires more
effort and wastes
time

Corporate IT
Key Characteristics

Share technical
expertise and
knowledge
Able to
incorporate risk
assessments into IT
processes

View of Information
Security

Security process
can delay critical
projects

BALANCE RISK CONSIDERATIONS WITH BUSINESS

GOALS

Understand Business Partner Considerations to Determine Risk/Reward Trade-Offs

Business partners view controls in terms of their impact on benefits, not just risks. Without engaging with the project
owner, and even line-level employees, Information Securitys vantage point will be incomplete and will lack full
visibility into the business desired benefits and constraints. To create control recommendations that support optimal
risk/reward trade-offs, Information Security staff need to incorporate stakeholder perspective during control
selection. Ultimately, though, the business owns information risk, so the project owner should have considerable
though not absolute authority to veto or modify controls that place significant burden on the business.

Conflicting Priorities during Control Selection

What They See:

What You See:

Business Partner

Information Security

Business Benefits

How Work Gets

Done

Attacks and Threats

Business
Leader

Security
Professional

Unsecured
Employee
Behavior

Control
Selection

Costs

Vulnerabilities

Source: CEB analysis.

SELECT CONTROLS THAT BALANCE BENEFITS AND

RISKS
Unpacking Risk Decision-Making
The inherent characteristics of a project, such as size of benefit and severity of risk, are critical components of risk
decision-making. However, these relatively objective considerations are influenced by the project owners inherent
risk posture, as well as where the decision falls in their list of priorities. Controls must balance the need to address
risks with the business risk tolerance and the project owners priorities. Information Securitys role is to enable the
business to manage and take sensible risks in the pursuit of business goals.
Selecting Controls that Balance Benefits and Risks
Benefits

Risks

Importance and urgency of

benefits

Significance of risk and risk

posture

Project
Considerations

Stakeholder
Considerations

How big is the problem or

opportunity?

Is this an immediate or
future priority?

The project owner best

understands the business
benefits of the project. He
must balance the pursuit of
these benefits with the
potential information risks.

How severe and likely is

the risk?

What is my inherent posture

towards taking risk?

Security serves as a risk

adviser to help the business
understand information
risks and identify potential
control remediation options.

Source: CEB analysis.

STRIKING THE RIGHT BALANCE BETWEEN

ENABLEMENT AND RESTRICTION

Negotiating Optimal Risk Decisions

Given the need for business enablement, some Security staff may be tempted to routinely concede to the business,
while others may tend to push back and frequently escalate control selection to senior management. A superior
approach is to find controls that strike a balance between business needs and risk reduction. In general, Security
staff should strike a more lenient posture when risky behavior is associated with a compelling business case. In all
cases, Security should present control options in terms of trade-offs even if Security has a preferred control in mind.
When the business deviates from Securitys recommendation, the business must understand that it is accepting this
additional risk.

Navigating Business Resistance to Controls

Typical Reactions to Business Partner Resistance.
No standards for
acceptable behavior

Escalation is the rule

Business partner
resistance is
automatically met
with escalation to
CISO.

Security
concedes to
suboptimal risk
decisions.

Present Trade-Offs

Create options that vary in terms of risk reduction and

business benefits.
Source: CEB analysis.

INFORMATION ACCESSIBILITY IS AN IMPORTANT

BUSINESS CONSIDERATION
Ensure Information Remains Accessible
Information Security can support employee productivity goals by reducing the burden of security controls. Security
must balance the risk of information loss with the need for employees to access information to get their jobs done.
While Security functions regularly measure risk levels, they are less likely to evaluate how employees use
information to meet their objectives. When working with the project owner to select controls, be sure to account for
the information accessibility needs of line-level employees.

Balancing Risk with Need for Information Access

High

Risk of Information Loss

Focus on Information
Protection

Targeted Approach to
Information Protection

Focus on Information
Accessibility
Low
Low

High

Need for Employees to Access Information

While traditionally Security has focused on identifying the most important

information to protect, progressive organizations also strive to understand
the value of increasing information access.
Source: CEB analysis.

Additional Research on Reducing the Burden Controls can Place on the Business

Business-Oriented Information Use

Decisions

Improved Risk Management Through

Reduced Customer Effort