Does anyone have experience leading the creation of risk threshold / appetite statement for small to medium size company (3,500 employees)? To date, to get senior leadership thinking about and thinking about their risk posture, tolerance, and appetite has been a bit of a struggle. Giving them a blank sheet of paper isn't as effective, so I would like to provide them "something" to react to. Any suggestions or thoughts?
What are you trying to get them to agree to? That they are OK with not providing funding, people, resources, etc to resolve a problem and that they accept the risk that results from that decision?
If so I just lay it out, explain the problem, explain the options, explain the cost/risks of non-compliance, and then link in any available options or alternatives that could either reduce, remove, reassign, etc. the risk. Then I ask for their signature.
Another thing, if you want to get senior leadership behind you then you need to build up some security capital. By that I will use an example from my past.
I came in to a place that had a high level of distrust of the previous security officer. The previous SO was your typical "Just say No!" security guy (or gal - names, etc. have been changed to protect the guilty). There was such a low level of distrust I had to start from scratch. Sure I had a bunch of policies to work on, but what good are policies if no one trusts you enough to follow them?
So I looked at the operations around me. The previous SO didn't do any investigations and didn't provide any input to the people to help them perform investigations that would stand up if challenged legally. He just said "Yup, you need to fire that guy." based off of a 1 or 2 page piece of accusation/evidence. So we had one particularly egregious offender. I documented his transgressions, carefully prepared a thought out statement, documented the transgressions and matched it up with current policies, showed the current staff how to replicate my actions and we terminated the guy. HR and legal were ecstatic over my documentation and evidence collection. I had made 2 new security allies. They started telling the executive management about how good I was and that I knew my stuff. This started building my security capital at the organization.
I formed a good alliance with the CIO and made him my ally as well. I pointed out some good things his staff was doing, that he was unaware of, and brought them to his attention. I kept finding the good stuff while downplaying the stuff that probably should have been dealt with years ago, and I gained the trust of the IT staff. I kept trying to repair the damage from the previous SO and rebuilding bridges until I had built up enough security capital to approach senior management with my other ideas. By that time there was already enough people behind me and to the side of me that my reputation proceeded me and they were open to my ideas and plans.
If you are meeting resistance try working it from a different angle.
I submit a risk analysis report to the management periodically / when incidents occur, which includes findings, methodology, an impact assessment, risk-matrix, observations & recommendations, along with references to other documents.
The report ends with a statement that they have to accept the risk if they're unable to follow recommendations provided, and that part is to be signed by them. This effectively 'throws the ball into their court.'
If they're concerned about your reports, they will reach out to you for options regarding the mitigation --- but in any case, you should continue to send the reports to ensure that you've done your part.
For a better response, make proposals to mitigate the risks --- baked up by a summary of relevant incidents & their impact on the operations / business.