According to Rasmussen, several vendors are beta-testing risk dashboards, while "some organizations use SMTP applications to develop them internally." A fully operational dashboard, he adds, will include systems monitoring and server status functionality, as well as automated alerts for exceptions. The presentation layer will be customized depending on the end user -- a senior business executive may see only a red-light/green-light indicator on his home page, while IT staffers would of course see much more detail.

In the early stages of a shift to risk-based security, IT must also conduct an inventory of all technology assets and then assign a value to each -- one of the trickiest phases of the process. This is where ephemeral fears must be turned into hard data. Questions include, "What is the fiscal impact if a given system goes down?" and "What's the fiscal impact if data integrity or confidentiality is compromised?" The answers must address not only short-term transactional problems but also the effects on customer loyalty and stock value.

Gartner's Byrnes says it's vital that business process owners be involved in this stage. Says Avesian, "I spent six months last year finding a single person in each [of Textron's 20-plus units] to serve as a focal point for security assessments." He has formed a 25-member IT risk management team that meets monthly and is part of Textron's formal governance process.

IT must also play a strong role when controls are being assessed and written. That's hardly new, but in risk-based security, there's a twist.

In the past, once the need for a control was established, IT would simply be sent off to create it, with little attention paid to the price tag. But any control -- from an improved firewall to an appropriate-use policy -- has an associated cost. Under the risk-based model, these costs must be closely matched to the potential fiscal impact of the risk.