Organizations with poor planning or a given budget spend more time making excuses than implementing risk management techniques.
Risk management techniques can be found in ISO 31000:2009, NIST SP 800-39, ISACA Risk IT Frame work and Canada’s ITSG-33 (see more in risk management principles).
The techniques of risk management center around looking at overall organizational security risk and asking the question, “what happens if a threat causes the organization to lose its capability?” “Are we prepared?”
All the standards listed above actually have the same risk management techniques, but the trick is to actually implement the risk management. You would think that is a no brainer but unfortunately, organizations KNOW what they are supposed to do for due diligence but spend time on making Risk Management Excuses of why they won’t do it rather than how the can spend time or money on risk management techniques.
Kudos to the organization that IMPLEMENTS REAL Risk management techniques with continuous monitoring within a realistic budget and not just pass the risk to someone else, or ignore the risk and make excuses with things go wrong. As a risk management foot soldier, I KNOW how hard this can be.