Treat Cyber as a Business Risk
I continue to be frustrated by articles and so-called expert advice on how organizations should address the risk of a cyber breach.
It’s just one of the reasons I wrote Making Business Sense of Technology Risk. The book not only explains how problems related to the use of technology should be considered when making strategic and tactical business decisions, but uncovers fatal flaws in the cyber standards and frameworks.
It’s one thing to say that “cyber is a business risk like any other” (quoting a new article by a partner with Schillings) and another to actually treat it that way.
If you want to treat cyber as another business risk, then it needs to be assessed and evaluated in a way that you can compare it to and aggregate its effect with other sources of business risk.
The author of that article gets several things right:
- What businesses need is a new type of CISO. A CISO who can get involved in digital transformation, but who also has executive management skills and understands that security is an enabler.
- Cyber security is about more than just building and maintaining threat resistant systems. It is both a strategic and risk management issue.
- A CISO today needs to understand business impact and resiliency and have the ability to present clearly and in non-technical language (without acronyms), to the Board. Skill sets need expanding to include risk, enterprise risk management and knowledge of the business.
- CISOs who can’t think strategically have been given the wrong title.
- Boards want to see the impact security has had on the business itself — not just how you improved things on an operational level.
- Boards and senior leadership teams have to make difficult decisions about how much time and money to spend on protecting technology and related services. Risk management is about informing and improving that decision-making process.
- …governing risks to technology systems is no different to governing other business activities. You just need to use the right people, structures and processes to make sensible risk management decisions to achieve your business goals and objectives.
So far, this is excellent. The author is asking the right questions, especially “Boards and senior leadership teams have to make difficult decisions about how much time and money to spend on protecting technology and related services.”
But then it goes terribly wrong.
I strongly disagree with this statement:
The worst reporting line, in my opinion, would be to the CIO, followed by the COO and perhaps the CFO. Better the CEO, Chief Risk Officer or General Counsel. Encouragingly, in the UK’s FTSE350, the majority now have CISOs reporting directly to the Board.
This shows a total lack of understanding of the role of the CIO.
Consider these descriptions:
The role of the CIO is to help to set and lead the technology strategy for an organisation, in concert with the other C-level executives. As such one of the many roles of the CIO it to provide an executive-level interface between the technology department and the rest of the business. (ZDNet 2019)
Due to the reliance on technology to grow and succeed, the CIO will become a fundamental part of the business, have a seat at Exco / Board table and report directly into the CEO. They will be expected to guide the board in the use of IT (aiding King IV™ compliance) and contribute to business performance at a strategic level, seeing the role becoming less technical and operational. (PwC 2017)
As digital becomes a core competency, the CIO plays a key leadership role in the critical strategic, technical and management initiatives — from information security and algorithms to customer experience and leveraging data — that mitigate threats and drive business growth. (Gartner, 2020)
The CIO’s primary role is to make sure the organization is making the best use of technology to both drive and protect the organization. In order to do that, they need a solid understanding of the business and an excellent working relationship with other business leaders.
Make no mistake. Cyber is a technical issue and the challenge is seeing it within the context of the business – making business sense of it.
The CIO is in the perfect position to understand cyber and its potential to affect the business. He or she can understand the damage it can cause, as well as the likelihood of that damage being severe.
This is because they understand the business, how it operates, and the extent to which it relies on technology.
The CIO can appreciate what can and should be done to minimize the possibility of severe damage and be in a position to respond appropriately when (not if) there is a breach.
The CIO is also in a position to contrast the value of an investment in cyber to an investment in new technologies, or even new marketing initiatives or the opening of a new manufacturing facility.
I talked to a NIST Fellow in the process of writing my book. He said that it is disastrous for the CISO to report to the CIO because the CIO will favor spending money on new functionalities over cyber. He had no answer to my reply that maybe the CIO can see there is more value to the organization in those systems.
So let’s empower rather than disembowel the CIO.
Business and not technical decisions need to be made.
One of the problems, which I illustrate in the book, is that few cyber professionals are able to effectively explain the business impact of a breach. Instead, they provide a list of high risk information assets (following NIST, ISO, and FAIR guidance).
That is not actionable information. It is of very little value, limited to deciding where to invest your cyber budget rather than justifying getting a budget in the first place.
If you want money for your area, you have to explain why it makes good business sense – and better business sense that any other investments.
The Schillings author has ten questions the board should ask the CIO.
He misses the top 3 or 4:
- If we have a breach, how would it affect the business and our ability to achieve our objectives for the year?
- How likely is it that we would have a breach that has such a serious impact that we would miss one or more enterprise objectives?
- Is that an acceptable position?
- Is there a business case for investing more in cyber? What would be the effect, in terms of achieving our objectives, of an incremental $1 million, $2 million, etc.? Is this the best use of our resources?
Just to explain the focus on achieving objectives:
- This is how pretty much every organization defines success and what it works towards
- The significance of a breach can be measured in terms of monetary loss or data exposed. But while that may be in the millions or even tens of millions for larger organizations, the greater concern is whether it will have a lasting effect on revenue, profits, etc.
Making Business Sense of Technology Risk should, IMHO, be essential reading not only for CISOs and their staff, but also for CIOs, CFOs, IT auditors, CROs, and all who want to treat technology-related risks (including but not limited to cyber) as a business risk.
I welcome your thoughts.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Thank you, I enjoyed this article. I don’t have your expertise or experience -whatsoever-, but your article made me think about this more:
Strong and durable partnership and collaboration between a CISO and CIO is an imperative, in my opinion, not beheading either, but instead creating a symbiotic, positive synergy between the roles (as a new, higher role really) to pursue business technologies at the often harried pace of business demands, while ensuring security throughout those pursuits, which is possible, if rare, but not Pollyannaish. Everything moves faster and more solidly forward with this alliance in-tact, in my opinion.
Regarding reporting structure: If the CISO role is held accountable at the executive level, as is the CIO, could not the CISO report to whomever the CIO reports to, be it the CEO, CRO or General Counsel?
Lastly, if the CISO reported to the CIO, what would prevent a potential conflict of interest between enabling the pace of adopted business technologies and the pace of securing the technologies adopted, should those interests be divided?
Thank you for an interesting read.
Why should those interests be divided? I see zero conflict of interest as the interests of both are for the success of the organization. Both should be concerned that the better business decision is made, rather than promoting one over the other on other than business grounds.
I see no reason to clutter the hierarchy by having everybody report to the CEO. The same argument is made for the CECO, CCO, CRO, and CAE.
The CIO understands the technology and the business and is the ideal C-suite leader for cyber.
This is an early morning pre-coffee ramble. Respectfully disagree on the reporting structure. The first point we need to understand is cybercrime is the biggest risk facing most organizations today. As such, the CISO must have direct Board access to educate the Board on risks both internally and externally. Having the CIO speak on behalf of the CISO is pointless since the CIO may not possess the knowledge of risk the CISO does. Thats the CISO’s job. CIOs spend their day thinking about technology, not security controls. The reality is cybersecurity is a business problem not an IT problem. Risks are not always technology dependent. We need to stop treating CISO’s as subordinate’s of the CIO/CTO and start treating them as business enablers. I do think most CISO’s lack the skeptical mindset. They need to learn to ask assurance type questions everyday. The “how do I know” questions. How do I know our security controls are working? Can’t wait for IA to come in and do an audit. How many companies have you read about that got hit with ransomware because approved endpoint protection was not deployed on 100% of the total population. The CISO (if there was one) should have asked the “how do I know ALL my endpoints are protected” question and verified. Would have been less painful. This is regardless of the technology the CIO/CTO has implemented to achieve a business objective. Plus it’s hard to assess the person you report to. I would even go as far as saying in many instances (not always depending on the org) the CISO should be treated similar to the chief audit executive – reporting to the board, free from interference and independent of the rest of the org. You can’t tell the person you report to they have serious control failures that are outside the so called “risk appetite” and hope they fix them. And if they don’t do you go behind their back and inform the Board or the CAE? That would be a resume generating event. What about risks in Finance or any other department that could lead to unauthorized access and disclosure? Corporate theft and loss of data harming the public is not getting better. CISO’s need to have authority to get high risk controls the business says is unacceptable remediated timely. Often remediation requires money but really we should have already worked out most of what we determined as higher risk or unacceptable risk to the company. I am CISO and to me it is infuriating how low the bar has been set. We need to start doing better and raising the bar.
Thank you for your lengthy and detailed reply.
You start with an assertion that I believe is not supported by the facts: “cybercrime is the biggest risk facing most organizations today.”
Unless you have performed (and almost nobody has done this) a proper risk assessment that describes the potential effect on the achievement of enterprise objectives of a breach, and the likelihood of a significant breach that would inhibit their achievement to a major degree meriting the attention of the board, you don’t know how much of a risk it really is.
There are so many risks that far exceed cybercrime, such as:
– the ability to maintain cash flow in an unstable economy
– the ability to continue product development when people are unable to work together in the lab
– uncertainty about taxes and regulations
– the potential to lose the services of key employees
– government intervention that interrupts sales or the supply chain
– the ability to deliver major projects in a work-from-home environment
– the financial stability of customers and vendors
Everybody has to perform their own risk assessment, in a way that enables the comparison of different sources of risk. They have to provide boards and executives with actionable information. Very few cyber risk assessments meet those standards.
Yes, many surveys list cyber as a top risk. But that is based on news media hype and not facts.
Even those companies that suffered a major breach that embarrassed them in the media went on to report earnings without a hitch.
If the CIO doesn’t understand the risk, you have the wrong CIO. It’s simply not that hard! You may feel he or she doesn’t understand, but that may be because he or she does understand and disagrees.
Cyber has its roots in technology and its effects in the business. The CIO’s job is to understand both.
If the CISO understands both, then that is great. But you can’t have every person who takes care of a major source of risk (such as the Head of Trading) report to the CEO.
If you are the CISO that stands out and has done the sort of risk assessment I suggest is vitally necessary, then I salute you.
BTW, when a CEO has an organization where the CIO and CISO report separately to him, perhaps throwing in an independent CTO, that CEO should expect conflict.
Duane, watch for my next post about the 2020 Verizon Data Breach Investigation Report.