At RSA Charge, I presented the Digital Risk Index (presentation available Security & Risk: Tackling Digital Risk Together). I got positive feedback as the session attendees tried out the tool. The intent of the Digital Risk Index (www.rsa.com/dri) is to spur the conversation on major factors contributing to risk. Specifically, the tool hopes to help bridge the conversation between security, risk and the business.
Can these types of high level assessments stir the right conversation? Do technical functions, e.g. security want more nuts and bolts type of assessments or does a high level assessment such as the DRI give a solid launching point to the dialogue? I feel they should - most technical functions while living in the world of deployment are becoming more acutely aware of the business needs. Thoughts?