When Gartner security and risk analysts give presentations, write research or talk to clients, we often get criticized for using the terms security and risk management interchangeably. This is deemed to be confusing by the audience as they try to articulate a clear differentiation between these terms. Indeed, in large sections of our client base, vigorous debate is being held on defining, differentiating and positioning information security vs. information risk management.

Well, maybe such a clear differentiation is not always required. Maybe security and risk management is so intertwined that continuously trying to separate them becomes counterproductive. Let's try to look at this objectively: I can make a clear argument that security is an integral part of risk management. But I can make a similarly cogent argument that risk management is an integral part of security management. The definition is largely in the eye of the beholder. It is contextual and situational. Maybe security and risk management are not the two sides of the same coin - maybe these disciplines are so integrated that they ARE the coin. The business is interested in the coin, not the pictures embossed on either side of it.

I am not arguing that the security and risk management are one and the same. They are indeed discrete disciplines with different functions and activities. And from an organizational perspective, is it important the different roles are named appropriately to the responsibilities of the individuals concerned. But let's be frank, does your business really care whether you call yourself a security manager or a risk manager? All they want is for (both of?) you to help them manage your information security and IT risks appropriately.

Risk management and security management. It's not either/or. Black or white. So here is my call: Let's spend less time debating and arguing the differences, and more time on using and maturing these extremely important, completely interrelated disciplines.

Submit a Comment | Permalink

As the saying goes "Security is about managing risk". You're right they are two different disciplines but you can't do one w/o the other. IT still has too much of a "silo" mentality and has to get beyond it if we are going to be successful. Even though in many companies these are different departments they have to work together or they will duplicate work or what one does will conflict with the other and not compliment each other.

As an analyst, I have gotten used to consistently inconsistent definitions of general terms and the zealots who profess the "real" definition. Vendors are particularly guilty of this with respect to whatever is hot. This is always in evidence at the RSA security show. In 2001 there were 200 intrusion detection vendors, in 2003 there were 200 intrusion prevention vendors, in 2005 there were 200 compliance vendors, in 2008 there were 200 DLP vendors. Mark my words, in 2009 there will be 200 GRC vendors.

Of course, I am guilty of this as well. As an analyst, it is my job to recognize industry trends, group similar requirements and vendors who meet those requirements - and then give the market a name. I cover data loss prevention(DLP) and GRC markets which are the most overused terms in the industry today. Which brings me to Tom's post.

I'm also the Role Service Director for Security and Risk Management and I'm supposed to align our research with our end-user clients' needs for those areas. The terms "security", "risk management", "information security", "compliance", "governance", and "GRC" are used very broadly both inside Gartner and by our end-user clients. I have all but given up trying to get common agreement for definition and usage for them. My latest attempt was "A Risk Hierarchy for Enterprise and IT Risk Managers", where I tried to create a common understanding of the difference between enterprise risk management (ERM) and operation risk management (ORM). In the end, my co-authors and I decided that we could only provide guidance for an organization to develop their own definitions of risk.

I am completely in agreement with Tom. Stop wasting your time on the "real" definitions of risk and security and agree on the common definition that you will use internally. There is no right answer, only the one that will help you get on with managing and reasonably anticipating risks with reasonable and appropriate controls.

Risk and security management are two different words but compliments each other. Andy has said the right things that these two different disciplines can not work without each other. Risk management involves the tasks related to identifying the risks in future for any business to start or to start something new in the business while security management involves tasks related to identifying the best possible ways to face the risks with all the best possible alternatives ans solutions and secure the business.

Risk and security management are two different words but compliments each other. Andy has said the right things that these two different disciplines can not work without each other. Risk management involves the tasks related to identifying the risks in future for any business to start or to start something new in the business while security management involves tasks related to identifying the best possible ways to face the risks with all the best possible alternatives ans solutions and secure the business.